Skip to content

Commit

Permalink
runc run: refuse a non-empty cgroup
Browse files Browse the repository at this point in the history
Commit d08bc0c ("runc run: warn on non-empty cgroup") introduced
a warning when a container is started in a non-empty cgroup. Such
configuration has lots of issues.

In addition to that, such configuration is not possible at all when
using the systemd cgroup driver.

As planned, let's promote this warning to an error, and fix the test
case accordingly.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
  • Loading branch information
kolyshkin committed Mar 23, 2023
1 parent e6cc9a6 commit 0213ad7
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 6 deletions.
4 changes: 1 addition & 3 deletions libcontainer/factory_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,9 +77,7 @@ func Create(root, id string, config *configs.Config) (*Container, error) {
return nil, fmt.Errorf("unable to get cgroup PIDs: %w", err)
}
if len(pids) != 0 {
// TODO: return an error.
logrus.Warnf("container's cgroup is not empty: %d process(es) found", len(pids))
logrus.Warn("DEPRECATED: running container in a non-empty cgroup won't be supported in runc 1.2; https://github.com/opencontainers/runc/issues/3132")
return nil, fmt.Errorf("container's cgroup is not empty: %d process(es) found", len(pids))
}
}

Expand Down
6 changes: 3 additions & 3 deletions tests/integration/cgroups.bats
Original file line number Diff line number Diff line change
Expand Up @@ -356,7 +356,7 @@ function setup() {
[ "$output" = "ok" ]
}

@test "runc run/create should warn about a non-empty cgroup" {
@test "runc run/create should error for a non-empty cgroup" {
[ $EUID -ne 0 ] && requires rootless_cgroup

set_cgroups_path
Expand All @@ -366,12 +366,12 @@ function setup() {

# Run a second container sharing the cgroup with the first one.
runc --debug run -d --console-socket "$CONSOLE_SOCKET" ct2
[ "$status" -eq 0 ]
[ "$status" -ne 0 ]
[[ "$output" == *"container's cgroup is not empty"* ]]

# Same but using runc create.
runc create --console-socket "$CONSOLE_SOCKET" ct3
[ "$status" -eq 0 ]
[ "$status" -ne 0 ]
[[ "$output" == *"container's cgroup is not empty"* ]]
}

Expand Down

0 comments on commit 0213ad7

Please sign in to comment.