diff options
author | gVisor bot <gvisor-bot@google.com> | 2020-10-21 17:24:06 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-10-21 17:24:06 -0700 |
commit | 1a5eb49a43c4f75d1a4135a2791a2b48dae8743d (patch) | |
tree | d8693e45be368c7fbc62c6bf02d88b7d31e0bde1 | |
parent | 1b2097f84ed3425d4e417a92c08b36e3888b8ebb (diff) | |
parent | d579ed85052dfba0579bd3286b6ae04210e4f975 (diff) |
Merge pull request #3957 from workato:auto-cgroup
PiperOrigin-RevId: 338372736
-rw-r--r-- | runsc/container/container.go | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/runsc/container/container.go b/runsc/container/container.go index 63f64ce6e..52e1755ce 100644 --- a/runsc/container/container.go +++ b/runsc/container/container.go @@ -312,6 +312,14 @@ func New(conf *config.Config, args Args) (*Container, error) { if isRoot(args.Spec) { log.Debugf("Creating new sandbox for container %q", args.ID) + if args.Spec.Linux == nil { + args.Spec.Linux = &specs.Linux{} + } + // Don't force the use of cgroups in tests because they lack permission to do so. + if args.Spec.Linux.CgroupsPath == "" && !conf.TestOnlyAllowRunAsCurrentUserWithoutChroot { + args.Spec.Linux.CgroupsPath = "/" + args.ID + } + // Create and join cgroup before processes are created to ensure they are // part of the cgroup from the start (and all their children processes). cg, err := cgroup.New(args.Spec) @@ -321,7 +329,13 @@ func New(conf *config.Config, args Args) (*Container, error) { if cg != nil { // If there is cgroup config, install it before creating sandbox process. if err := cg.Install(args.Spec.Linux.Resources); err != nil { - return nil, fmt.Errorf("configuring cgroup: %v", err) + switch { + case errors.Is(err, syscall.EACCES) && conf.Rootless: + log.Warningf("Skipping cgroup configuration in rootless mode: %v", err) + cg = nil + default: + return nil, fmt.Errorf("configuring cgroup: %v", err) + } } } if err := runInCgroup(cg, func() error { |