Remove cgroup read-only flag when privileged

Fixes: #14543 It needs libcontainer fix from: https://github.com/opencontainers/runc/pull/91 Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2022-11-09 12:21:53 -05:00 · 2015-07-14 15:00:41 +08:00 · 2015-07-14 15:00:41 +08:00 · a7f5e1c4c3
commit a7f5e1c4c3
parent 5ca3e7c54c
1 changed files with 7 additions and 0 deletions
--- a/daemon/execdriver/native/create.go
+++ b/daemon/execdriver/native/create.go
@ -48,6 +48,13 @@ func (d *driver) createContainer(c *execdriver.Command) (*configs.Config, error)
 			container.ReadonlyPaths = nil
 		}

+		// clear readonly for cgroup
+		for i := range container.Mounts {
+			if container.Mounts[i].Device == "cgroup" {
+				container.Mounts[i].Flags &= ^syscall.MS_RDONLY
+			}
+		}
+
 		container.MaskPaths = nil
 		if err := d.setPrivileged(container); err != nil {
 			return nil, err