diff options
author | gVisor bot <gvisor-bot@google.com> | 2020-10-22 00:27:47 +0000 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-10-22 00:27:47 +0000 |
commit | d29c1e0f6fb872fb7661ba9a3642d137885794e6 (patch) | |
tree | 95816b72e28eb13e5c1a9cbe649a560a8b5df02f | |
parent | 96a310bd32f1baa795a6d0303713f96f6fbcfedb (diff) | |
parent | 1a5eb49a43c4f75d1a4135a2791a2b48dae8743d (diff) |
Merge release-20201019.0-27-g1a5eb49a4 (automated)
-rw-r--r-- | runsc/container/container.go | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/runsc/container/container.go b/runsc/container/container.go index 63f64ce6e..52e1755ce 100644 --- a/runsc/container/container.go +++ b/runsc/container/container.go @@ -312,6 +312,14 @@ func New(conf *config.Config, args Args) (*Container, error) { if isRoot(args.Spec) { log.Debugf("Creating new sandbox for container %q", args.ID) + if args.Spec.Linux == nil { + args.Spec.Linux = &specs.Linux{} + } + // Don't force the use of cgroups in tests because they lack permission to do so. + if args.Spec.Linux.CgroupsPath == "" && !conf.TestOnlyAllowRunAsCurrentUserWithoutChroot { + args.Spec.Linux.CgroupsPath = "/" + args.ID + } + // Create and join cgroup before processes are created to ensure they are // part of the cgroup from the start (and all their children processes). cg, err := cgroup.New(args.Spec) @@ -321,7 +329,13 @@ func New(conf *config.Config, args Args) (*Container, error) { if cg != nil { // If there is cgroup config, install it before creating sandbox process. if err := cg.Install(args.Spec.Linux.Resources); err != nil { - return nil, fmt.Errorf("configuring cgroup: %v", err) + switch { + case errors.Is(err, syscall.EACCES) && conf.Rootless: + log.Warningf("Skipping cgroup configuration in rootless mode: %v", err) + cg = nil + default: + return nil, fmt.Errorf("configuring cgroup: %v", err) + } } } if err := runInCgroup(cg, func() error { |