From 0213ad74a4eb7f246d57260913f68212dda65148 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Thu, 23 Mar 2023 11:57:46 -0700
Subject: [PATCH] runc run: refuse a non-empty cgroup

Commit d08bc0c1b3bb2 ("runc run: warn on non-empty cgroup") introduced
a warning when a container is started in a non-empty cgroup. Such
configuration has lots of issues.

In addition to that, such configuration is not possible at all when
using the systemd cgroup driver.

As planned, let's promote this warning to an error, and fix the test
case accordingly.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 libcontainer/factory_linux.go  | 4 +---
 tests/integration/cgroups.bats | 6 +++---
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/libcontainer/factory_linux.go b/libcontainer/factory_linux.go
index b8d2d9c287d..bf8904efb85 100644
--- a/libcontainer/factory_linux.go
+++ b/libcontainer/factory_linux.go
@@ -77,9 +77,7 @@ func Create(root, id string, config *configs.Config) (*Container, error) {
 			return nil, fmt.Errorf("unable to get cgroup PIDs: %w", err)
 		}
 		if len(pids) != 0 {
-			// TODO: return an error.
-			logrus.Warnf("container's cgroup is not empty: %d process(es) found", len(pids))
-			logrus.Warn("DEPRECATED: running container in a non-empty cgroup won't be supported in runc 1.2; https://github.com/opencontainers/runc/issues/3132")
+			return nil, fmt.Errorf("container's cgroup is not empty: %d process(es) found", len(pids))
 		}
 	}
 
diff --git a/tests/integration/cgroups.bats b/tests/integration/cgroups.bats
index 14f26d2d5a4..17e384e2c86 100644
--- a/tests/integration/cgroups.bats
+++ b/tests/integration/cgroups.bats
@@ -356,7 +356,7 @@ function setup() {
 	[ "$output" = "ok" ]
 }
 
-@test "runc run/create should warn about a non-empty cgroup" {
+@test "runc run/create should error for a non-empty cgroup" {
 	[ $EUID -ne 0 ] && requires rootless_cgroup
 
 	set_cgroups_path
@@ -366,12 +366,12 @@ function setup() {
 
 	# Run a second container sharing the cgroup with the first one.
 	runc --debug run -d --console-socket "$CONSOLE_SOCKET" ct2
-	[ "$status" -eq 0 ]
+	[ "$status" -ne 0 ]
 	[[ "$output" == *"container's cgroup is not empty"* ]]
 
 	# Same but using runc create.
 	runc create --console-socket "$CONSOLE_SOCKET" ct3
-	[ "$status" -eq 0 ]
+	[ "$status" -ne 0 ]
 	[[ "$output" == *"container's cgroup is not empty"* ]]
 }