replace uses of deprecated containerd/sys.RunningInUserNS()
This utility was moved to a separate package, which has no dependencies. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
parent
f32fc350ce
commit
472f21b923
|
@ -27,8 +27,8 @@ import (
|
||||||
"github.com/containerd/containerd"
|
"github.com/containerd/containerd"
|
||||||
"github.com/containerd/containerd/defaults"
|
"github.com/containerd/containerd/defaults"
|
||||||
"github.com/containerd/containerd/pkg/dialer"
|
"github.com/containerd/containerd/pkg/dialer"
|
||||||
|
"github.com/containerd/containerd/pkg/userns"
|
||||||
"github.com/containerd/containerd/remotes/docker"
|
"github.com/containerd/containerd/remotes/docker"
|
||||||
"github.com/containerd/containerd/sys"
|
|
||||||
"github.com/docker/docker/api/types"
|
"github.com/docker/docker/api/types"
|
||||||
containertypes "github.com/docker/docker/api/types/container"
|
containertypes "github.com/docker/docker/api/types/container"
|
||||||
"github.com/docker/docker/api/types/swarm"
|
"github.com/docker/docker/api/types/swarm"
|
||||||
|
@ -1053,7 +1053,7 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
||||||
sysInfo := d.RawSysInfo(false)
|
sysInfo := d.RawSysInfo(false)
|
||||||
// Check if Devices cgroup is mounted, it is hard requirement for container security,
|
// Check if Devices cgroup is mounted, it is hard requirement for container security,
|
||||||
// on Linux.
|
// on Linux.
|
||||||
if runtime.GOOS == "linux" && !sysInfo.CgroupDevicesEnabled && !sys.RunningInUserNS() {
|
if runtime.GOOS == "linux" && !sysInfo.CgroupDevicesEnabled && !userns.RunningInUserNS() {
|
||||||
return nil, errors.New("Devices cgroup isn't mounted")
|
return nil, errors.New("Devices cgroup isn't mounted")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -20,7 +20,7 @@ import (
|
||||||
"github.com/containerd/cgroups"
|
"github.com/containerd/cgroups"
|
||||||
statsV1 "github.com/containerd/cgroups/stats/v1"
|
statsV1 "github.com/containerd/cgroups/stats/v1"
|
||||||
statsV2 "github.com/containerd/cgroups/v2/stats"
|
statsV2 "github.com/containerd/cgroups/v2/stats"
|
||||||
"github.com/containerd/containerd/sys"
|
"github.com/containerd/containerd/pkg/userns"
|
||||||
"github.com/docker/docker/api/types"
|
"github.com/docker/docker/api/types"
|
||||||
"github.com/docker/docker/api/types/blkiodev"
|
"github.com/docker/docker/api/types/blkiodev"
|
||||||
pblkiodev "github.com/docker/docker/api/types/blkiodev"
|
pblkiodev "github.com/docker/docker/api/types/blkiodev"
|
||||||
|
@ -1645,7 +1645,7 @@ func setMayDetachMounts() error {
|
||||||
// Setting may_detach_mounts does not work in an
|
// Setting may_detach_mounts does not work in an
|
||||||
// unprivileged container. Ignore the error, but log
|
// unprivileged container. Ignore the error, but log
|
||||||
// it if we appear not to be in that situation.
|
// it if we appear not to be in that situation.
|
||||||
if !sys.RunningInUserNS() {
|
if !userns.RunningInUserNS() {
|
||||||
logrus.Debugf("Permission denied writing %q to /proc/sys/fs/may_detach_mounts", "1")
|
logrus.Debugf("Permission denied writing %q to /proc/sys/fs/may_detach_mounts", "1")
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
|
@ -1668,7 +1668,7 @@ func setupOOMScoreAdj(score int) error {
|
||||||
// Setting oom_score_adj does not work in an
|
// Setting oom_score_adj does not work in an
|
||||||
// unprivileged container. Ignore the error, but log
|
// unprivileged container. Ignore the error, but log
|
||||||
// it if we appear not to be in that situation.
|
// it if we appear not to be in that situation.
|
||||||
if !sys.RunningInUserNS() {
|
if !userns.RunningInUserNS() {
|
||||||
logrus.Debugf("Permission denied writing %q to /proc/self/oom_score_adj", stringScore)
|
logrus.Debugf("Permission denied writing %q to /proc/self/oom_score_adj", stringScore)
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
|
|
|
@ -35,7 +35,7 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
"github.com/containerd/containerd/sys"
|
"github.com/containerd/containerd/pkg/userns"
|
||||||
"github.com/docker/docker/daemon/graphdriver"
|
"github.com/docker/docker/daemon/graphdriver"
|
||||||
"github.com/docker/docker/pkg/archive"
|
"github.com/docker/docker/pkg/archive"
|
||||||
"github.com/docker/docker/pkg/chrootarchive"
|
"github.com/docker/docker/pkg/chrootarchive"
|
||||||
|
@ -174,7 +174,7 @@ func supportsAufs() error {
|
||||||
// proc/filesystems for when aufs is supported
|
// proc/filesystems for when aufs is supported
|
||||||
exec.Command("modprobe", "aufs").Run()
|
exec.Command("modprobe", "aufs").Run()
|
||||||
|
|
||||||
if sys.RunningInUserNS() {
|
if userns.RunningInUserNS() {
|
||||||
return ErrAufsNested
|
return ErrAufsNested
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -11,7 +11,7 @@ import (
|
||||||
"syscall"
|
"syscall"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/containerd/containerd/sys"
|
"github.com/containerd/containerd/pkg/userns"
|
||||||
"github.com/docker/docker/pkg/pools"
|
"github.com/docker/docker/pkg/pools"
|
||||||
"github.com/docker/docker/pkg/system"
|
"github.com/docker/docker/pkg/system"
|
||||||
"golang.org/x/sys/unix"
|
"golang.org/x/sys/unix"
|
||||||
|
@ -184,7 +184,7 @@ func DirCopy(srcDir, dstDir string, copyMode Mode, copyXattrs bool) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
case mode&os.ModeDevice != 0:
|
case mode&os.ModeDevice != 0:
|
||||||
if sys.RunningInUserNS() {
|
if userns.RunningInUserNS() {
|
||||||
// cannot create a device if running in user namespace
|
// cannot create a device if running in user namespace
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,7 +14,7 @@ import (
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/containerd/containerd/sys"
|
"github.com/containerd/containerd/pkg/userns"
|
||||||
"github.com/docker/docker/daemon/graphdriver"
|
"github.com/docker/docker/daemon/graphdriver"
|
||||||
"github.com/docker/docker/daemon/graphdriver/overlayutils"
|
"github.com/docker/docker/daemon/graphdriver/overlayutils"
|
||||||
"github.com/docker/docker/pkg/archive"
|
"github.com/docker/docker/pkg/archive"
|
||||||
|
@ -468,7 +468,7 @@ func (d *Driver) ApplyDiff(id string, parent string, diff io.Reader) (size int64
|
||||||
GIDMaps: d.gidMaps,
|
GIDMaps: d.gidMaps,
|
||||||
// Use AUFS whiteout format: https://github.com/containers/storage/blob/39a8d5ed9843844eafb5d2ba6e6a7510e0126f40/drivers/overlay/overlay.go#L1084-L1089
|
// Use AUFS whiteout format: https://github.com/containers/storage/blob/39a8d5ed9843844eafb5d2ba6e6a7510e0126f40/drivers/overlay/overlay.go#L1084-L1089
|
||||||
WhiteoutFormat: archive.AUFSWhiteoutFormat,
|
WhiteoutFormat: archive.AUFSWhiteoutFormat,
|
||||||
InUserNS: sys.RunningInUserNS(),
|
InUserNS: userns.RunningInUserNS(),
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
return 0, err
|
return 0, err
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,7 +10,7 @@ import (
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"syscall"
|
"syscall"
|
||||||
|
|
||||||
"github.com/containerd/containerd/sys"
|
"github.com/containerd/containerd/pkg/userns"
|
||||||
"github.com/docker/docker/pkg/system"
|
"github.com/docker/docker/pkg/system"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"golang.org/x/sys/unix"
|
"golang.org/x/sys/unix"
|
||||||
|
@ -24,7 +24,7 @@ import (
|
||||||
// When running in a user namespace, returns errRunningInUserNS
|
// When running in a user namespace, returns errRunningInUserNS
|
||||||
// immediately.
|
// immediately.
|
||||||
func doesSupportNativeDiff(d string) error {
|
func doesSupportNativeDiff(d string) error {
|
||||||
if sys.RunningInUserNS() {
|
if userns.RunningInUserNS() {
|
||||||
return errors.New("running in a user namespace")
|
return errors.New("running in a user namespace")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -26,7 +26,7 @@ import (
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
|
||||||
"github.com/containerd/containerd/mount"
|
"github.com/containerd/containerd/mount"
|
||||||
"github.com/containerd/containerd/sys"
|
"github.com/containerd/containerd/pkg/userns"
|
||||||
"github.com/docker/docker/pkg/parsers/kernel"
|
"github.com/docker/docker/pkg/parsers/kernel"
|
||||||
"github.com/sirupsen/logrus"
|
"github.com/sirupsen/logrus"
|
||||||
)
|
)
|
||||||
|
@ -51,7 +51,7 @@ import (
|
||||||
//
|
//
|
||||||
// The "userxattr" support is not exposed in "/sys/module/overlay/parameters".
|
// The "userxattr" support is not exposed in "/sys/module/overlay/parameters".
|
||||||
func NeedsUserXAttr(d string) (bool, error) {
|
func NeedsUserXAttr(d string) (bool, error) {
|
||||||
if !sys.RunningInUserNS() {
|
if !userns.RunningInUserNS() {
|
||||||
// we are the real root (i.e., the root in the initial user NS),
|
// we are the real root (i.e., the root in the initial user NS),
|
||||||
// so we do never need "userxattr" opt.
|
// so we do never need "userxattr" opt.
|
||||||
return false, nil
|
return false, nil
|
||||||
|
|
|
@ -15,7 +15,7 @@ import (
|
||||||
"github.com/containerd/containerd/containers"
|
"github.com/containerd/containerd/containers"
|
||||||
coci "github.com/containerd/containerd/oci"
|
coci "github.com/containerd/containerd/oci"
|
||||||
"github.com/containerd/containerd/pkg/apparmor"
|
"github.com/containerd/containerd/pkg/apparmor"
|
||||||
"github.com/containerd/containerd/sys"
|
"github.com/containerd/containerd/pkg/userns"
|
||||||
containertypes "github.com/docker/docker/api/types/container"
|
containertypes "github.com/docker/docker/api/types/container"
|
||||||
"github.com/docker/docker/container"
|
"github.com/docker/docker/container"
|
||||||
daemonconfig "github.com/docker/docker/daemon/config"
|
daemonconfig "github.com/docker/docker/daemon/config"
|
||||||
|
@ -652,7 +652,7 @@ func WithMounts(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
||||||
// "mount" when we bind-mount. The reason for this is that at the point
|
// "mount" when we bind-mount. The reason for this is that at the point
|
||||||
// when runc sets up the root filesystem, it is already inside a user
|
// when runc sets up the root filesystem, it is already inside a user
|
||||||
// namespace, and thus cannot change any flags that are locked.
|
// namespace, and thus cannot change any flags that are locked.
|
||||||
if daemon.configStore.RemappedRoot != "" || sys.RunningInUserNS() {
|
if daemon.configStore.RemappedRoot != "" || userns.RunningInUserNS() {
|
||||||
unprivOpts, err := getUnprivilegedMountFlags(m.Source)
|
unprivOpts, err := getUnprivilegedMountFlags(m.Source)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -873,7 +873,7 @@ func WithDevices(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
||||||
var devs []specs.LinuxDevice
|
var devs []specs.LinuxDevice
|
||||||
devPermissions := s.Linux.Resources.Devices
|
devPermissions := s.Linux.Resources.Devices
|
||||||
|
|
||||||
if c.HostConfig.Privileged && !sys.RunningInUserNS() {
|
if c.HostConfig.Privileged && !userns.RunningInUserNS() {
|
||||||
hostDevices, err := devices.HostDevices()
|
hostDevices, err := devices.HostDevices()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
|
|
@ -7,7 +7,7 @@ import (
|
||||||
"syscall"
|
"syscall"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/containerd/containerd/sys"
|
"github.com/containerd/containerd/pkg/userns"
|
||||||
"github.com/docker/docker/pkg/system"
|
"github.com/docker/docker/pkg/system"
|
||||||
"golang.org/x/sys/unix"
|
"golang.org/x/sys/unix"
|
||||||
"gotest.tools/v3/assert"
|
"gotest.tools/v3/assert"
|
||||||
|
@ -25,7 +25,7 @@ import (
|
||||||
// └── f1 # whiteout, 0644
|
// └── f1 # whiteout, 0644
|
||||||
func setupOverlayTestDir(t *testing.T, src string) {
|
func setupOverlayTestDir(t *testing.T, src string) {
|
||||||
skip.If(t, os.Getuid() != 0, "skipping test that requires root")
|
skip.If(t, os.Getuid() != 0, "skipping test that requires root")
|
||||||
skip.If(t, sys.RunningInUserNS(), "skipping test that requires initial userns (trusted.overlay.opaque xattr cannot be set in userns, even with Ubuntu kernel)")
|
skip.If(t, userns.RunningInUserNS(), "skipping test that requires initial userns (trusted.overlay.opaque xattr cannot be set in userns, even with Ubuntu kernel)")
|
||||||
// Create opaque directory containing single file and permission 0700
|
// Create opaque directory containing single file and permission 0700
|
||||||
err := os.Mkdir(filepath.Join(src, "d1"), 0700)
|
err := os.Mkdir(filepath.Join(src, "d1"), 0700)
|
||||||
assert.NilError(t, err)
|
assert.NilError(t, err)
|
||||||
|
|
|
@ -17,7 +17,7 @@ import (
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/containerd/containerd/sys"
|
"github.com/containerd/containerd/pkg/userns"
|
||||||
"github.com/docker/docker/pkg/idtools"
|
"github.com/docker/docker/pkg/idtools"
|
||||||
"github.com/docker/docker/pkg/ioutils"
|
"github.com/docker/docker/pkg/ioutils"
|
||||||
"gotest.tools/v3/assert"
|
"gotest.tools/v3/assert"
|
||||||
|
@ -1251,7 +1251,7 @@ func TestReplaceFileTarWrapper(t *testing.T) {
|
||||||
// version of this package that was built with <=go17 are still readable.
|
// version of this package that was built with <=go17 are still readable.
|
||||||
func TestPrefixHeaderReadable(t *testing.T) {
|
func TestPrefixHeaderReadable(t *testing.T) {
|
||||||
skip.If(t, runtime.GOOS != "windows" && os.Getuid() != 0, "skipping test that requires root")
|
skip.If(t, runtime.GOOS != "windows" && os.Getuid() != 0, "skipping test that requires root")
|
||||||
skip.If(t, sys.RunningInUserNS(), "skipping test that requires more than 010000000 UIDs, which is unlikely to be satisfied when running in userns")
|
skip.If(t, userns.RunningInUserNS(), "skipping test that requires more than 010000000 UIDs, which is unlikely to be satisfied when running in userns")
|
||||||
// https://gist.github.com/stevvooe/e2a790ad4e97425896206c0816e1a882#file-out-go
|
// https://gist.github.com/stevvooe/e2a790ad4e97425896206c0816e1a882#file-out-go
|
||||||
var testFile = []byte("\x1f\x8b\x08\x08\x44\x21\x68\x59\x00\x03\x74\x2e\x74\x61\x72\x00\x4b\xcb\xcf\x67\xa0\x35\x30\x80\x00\x86\x06\x10\x47\x01\xc1\x37\x40\x00\x54\xb6\xb1\xa1\xa9\x99\x09\x48\x25\x1d\x40\x69\x71\x49\x62\x91\x02\xe5\x76\xa1\x79\x84\x21\x91\xd6\x80\x72\xaf\x8f\x82\x51\x30\x0a\x46\x36\x00\x00\xf0\x1c\x1e\x95\x00\x06\x00\x00")
|
var testFile = []byte("\x1f\x8b\x08\x08\x44\x21\x68\x59\x00\x03\x74\x2e\x74\x61\x72\x00\x4b\xcb\xcf\x67\xa0\x35\x30\x80\x00\x86\x06\x10\x47\x01\xc1\x37\x40\x00\x54\xb6\xb1\xa1\xa9\x99\x09\x48\x25\x1d\x40\x69\x71\x49\x62\x91\x02\xe5\x76\xa1\x79\x84\x21\x91\xd6\x80\x72\xaf\x8f\x82\x51\x30\x0a\x46\x36\x00\x00\xf0\x1c\x1e\x95\x00\x06\x00\x00")
|
||||||
|
|
||||||
|
|
|
@ -10,7 +10,7 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"syscall"
|
"syscall"
|
||||||
|
|
||||||
"github.com/containerd/containerd/sys"
|
"github.com/containerd/containerd/pkg/userns"
|
||||||
"github.com/docker/docker/pkg/idtools"
|
"github.com/docker/docker/pkg/idtools"
|
||||||
"github.com/docker/docker/pkg/system"
|
"github.com/docker/docker/pkg/system"
|
||||||
"golang.org/x/sys/unix"
|
"golang.org/x/sys/unix"
|
||||||
|
@ -92,7 +92,7 @@ func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
err := system.Mknod(path, mode, int(system.Mkdev(hdr.Devmajor, hdr.Devminor)))
|
err := system.Mknod(path, mode, int(system.Mkdev(hdr.Devmajor, hdr.Devminor)))
|
||||||
if errors.Is(err, syscall.EPERM) && sys.RunningInUserNS() {
|
if errors.Is(err, syscall.EPERM) && userns.RunningInUserNS() {
|
||||||
// In most cases, cannot create a device if running in user namespace
|
// In most cases, cannot create a device if running in user namespace
|
||||||
err = nil
|
err = nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,7 +14,7 @@ import (
|
||||||
"syscall"
|
"syscall"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/containerd/containerd/sys"
|
"github.com/containerd/containerd/pkg/userns"
|
||||||
"github.com/docker/docker/pkg/system"
|
"github.com/docker/docker/pkg/system"
|
||||||
"golang.org/x/sys/unix"
|
"golang.org/x/sys/unix"
|
||||||
"gotest.tools/v3/assert"
|
"gotest.tools/v3/assert"
|
||||||
|
@ -204,7 +204,7 @@ func getInode(path string) (uint64, error) {
|
||||||
|
|
||||||
func TestTarWithBlockCharFifo(t *testing.T) {
|
func TestTarWithBlockCharFifo(t *testing.T) {
|
||||||
skip.If(t, os.Getuid() != 0, "skipping test that requires root")
|
skip.If(t, os.Getuid() != 0, "skipping test that requires root")
|
||||||
skip.If(t, sys.RunningInUserNS(), "skipping test that requires initial userns")
|
skip.If(t, userns.RunningInUserNS(), "skipping test that requires initial userns")
|
||||||
origin, err := ioutil.TempDir("", "docker-test-tar-hardlink")
|
origin, err := ioutil.TempDir("", "docker-test-tar-hardlink")
|
||||||
assert.NilError(t, err)
|
assert.NilError(t, err)
|
||||||
|
|
||||||
|
|
|
@ -6,7 +6,7 @@ import (
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
|
||||||
"github.com/containerd/containerd/sys"
|
"github.com/containerd/containerd/pkg/userns"
|
||||||
"github.com/moby/sys/mount"
|
"github.com/moby/sys/mount"
|
||||||
"github.com/moby/sys/mountinfo"
|
"github.com/moby/sys/mountinfo"
|
||||||
"golang.org/x/sys/unix"
|
"golang.org/x/sys/unix"
|
||||||
|
@ -20,7 +20,7 @@ import (
|
||||||
// This is similar to how libcontainer sets up a container's rootfs
|
// This is similar to how libcontainer sets up a container's rootfs
|
||||||
func chroot(path string) (err error) {
|
func chroot(path string) (err error) {
|
||||||
// if the engine is running in a user namespace we need to use actual chroot
|
// if the engine is running in a user namespace we need to use actual chroot
|
||||||
if sys.RunningInUserNS() {
|
if userns.RunningInUserNS() {
|
||||||
return realChroot(path)
|
return realChroot(path)
|
||||||
}
|
}
|
||||||
if err := unix.Unshare(unix.CLONE_NEWNS); err != nil {
|
if err := unix.Unshare(unix.CLONE_NEWNS); err != nil {
|
||||||
|
|
|
@ -13,7 +13,7 @@ import (
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"runtime"
|
"runtime"
|
||||||
|
|
||||||
"github.com/containerd/containerd/sys"
|
"github.com/containerd/containerd/pkg/userns"
|
||||||
"github.com/docker/docker/pkg/archive"
|
"github.com/docker/docker/pkg/archive"
|
||||||
"github.com/docker/docker/pkg/reexec"
|
"github.com/docker/docker/pkg/reexec"
|
||||||
"github.com/docker/docker/pkg/system"
|
"github.com/docker/docker/pkg/system"
|
||||||
|
@ -36,7 +36,7 @@ func applyLayer() {
|
||||||
runtime.LockOSThread()
|
runtime.LockOSThread()
|
||||||
flag.Parse()
|
flag.Parse()
|
||||||
|
|
||||||
inUserns := sys.RunningInUserNS()
|
inUserns := userns.RunningInUserNS()
|
||||||
if err := chroot(flag.Arg(0)); err != nil {
|
if err := chroot(flag.Arg(0)); err != nil {
|
||||||
fatal(err)
|
fatal(err)
|
||||||
}
|
}
|
||||||
|
@ -95,7 +95,7 @@ func applyLayerHandler(dest string, layer io.Reader, options *archive.TarOptions
|
||||||
}
|
}
|
||||||
if options == nil {
|
if options == nil {
|
||||||
options = &archive.TarOptions{}
|
options = &archive.TarOptions{}
|
||||||
if sys.RunningInUserNS() {
|
if userns.RunningInUserNS() {
|
||||||
options.InUserNS = true
|
options.InUserNS = true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,7 +7,7 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
cgroupsV2 "github.com/containerd/cgroups/v2"
|
cgroupsV2 "github.com/containerd/cgroups/v2"
|
||||||
"github.com/containerd/containerd/sys"
|
"github.com/containerd/containerd/pkg/userns"
|
||||||
"github.com/opencontainers/runc/libcontainer/cgroups"
|
"github.com/opencontainers/runc/libcontainer/cgroups"
|
||||||
"github.com/sirupsen/logrus"
|
"github.com/sirupsen/logrus"
|
||||||
)
|
)
|
||||||
|
@ -164,6 +164,6 @@ func applyPIDSCgroupInfoV2(info *SysInfo, controllers map[string]struct{}, _ str
|
||||||
}
|
}
|
||||||
|
|
||||||
func applyDevicesCgroupInfoV2(info *SysInfo, controllers map[string]struct{}, _ string) []string {
|
func applyDevicesCgroupInfoV2(info *SysInfo, controllers map[string]struct{}, _ string) []string {
|
||||||
info.CgroupDevicesEnabled = !sys.RunningInUserNS()
|
info.CgroupDevicesEnabled = !userns.RunningInUserNS()
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -58,7 +58,7 @@ import (
|
||||||
"sync"
|
"sync"
|
||||||
"unsafe"
|
"unsafe"
|
||||||
|
|
||||||
"github.com/containerd/containerd/sys"
|
"github.com/containerd/containerd/pkg/userns"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/sirupsen/logrus"
|
"github.com/sirupsen/logrus"
|
||||||
"golang.org/x/sys/unix"
|
"golang.org/x/sys/unix"
|
||||||
|
@ -118,7 +118,7 @@ func NewControl(basePath string) (*Control, error) {
|
||||||
// If we are running in a user namespace quota won't be supported for
|
// If we are running in a user namespace quota won't be supported for
|
||||||
// now since makeBackingFsDev() will try to mknod().
|
// now since makeBackingFsDev() will try to mknod().
|
||||||
//
|
//
|
||||||
if sys.RunningInUserNS() {
|
if userns.RunningInUserNS() {
|
||||||
return nil, ErrQuotaNotSupported
|
return nil, ErrQuotaNotSupported
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue