kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity

Merge pull request #40845 from AkihiroSuda/allow-privileged-cgroupns-private-on-cgroup-v1 

support `--privileged --cgroupns=private` on cgroup v1
This commit is contained in:
Sebastiaan van Stijn 2020-05-07 21:11:42 +02:00 committed by GitHub
parent 47d9489e7c 33ee7941d4
commit b453b64d04
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 3 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
daemon/daemon_unix.go
View File

@ -711,10 +711,6 @@ func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *containertypes.
if !sysInfo.CgroupNamespaces {
warnings = append(warnings, "Your kernel does not support cgroup namespaces. Cgroup namespace setting discarded.")
}
if hostConfig.Privileged && !cgroups.IsCgroup2UnifiedMode() {
return warnings, fmt.Errorf("privileged mode is incompatible with private cgroup namespaces on cgroup v1 host. You must run the container in the host cgroup namespace when running privileged mode")
}
}
return warnings, nil

5
daemon/oci_linux.go
View File

@ -339,10 +339,7 @@ func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts {
if !cgroupNsMode.Valid() {
return fmt.Errorf("invalid cgroup namespace mode: %v", cgroupNsMode)
}
// for cgroup v2: unshare cgroupns even for privileged containers
// https://github.com/containers/libpod/pull/4374#issuecomment-549776387
if cgroupNsMode.IsPrivate() && (cgroups.IsCgroup2UnifiedMode() || !c.HostConfig.Privileged) {
if cgroupNsMode.IsPrivate() {
nsCgroup := specs.LinuxNamespace{Type: "cgroup"}
setNamespace(s, nsCgroup)
}

5
integration/container/run_cgroupns_linux_test.go
View File

@ -114,9 +114,8 @@ func TestCgroupNamespacesRunPrivilegedAndPrivate(t *testing.T) {
skip.If(t, testEnv.IsRemoteDaemon())
skip.If(t, !requirement.CgroupNamespacesEnabled())
// Running with both privileged and cgroupns=private is not allowed
errStr := "privileged mode is incompatible with private cgroup namespaces on cgroup v1 host. You must run the container in the host cgroup namespace when running privileged mode"
testCreateFailureWithCgroupNs(t, "private", errStr, container.WithPrivileged(true), container.WithCgroupnsMode("private"))
containerCgroup, daemonCgroup := testRunWithCgroupNs(t, "private", container.WithPrivileged(true), container.WithCgroupnsMode("private"))
assert.Assert(t, daemonCgroup != containerCgroup)
}
func TestCgroupNamespacesRunInvalidMode(t *testing.T) {