runc delete: fix for rootless cgroup + ro cgroupfs

kolyshkin · kolyshkin · commit db59489b6801 · 2024-11-11T23:12:32.000-08:00
An issue with runc 1.2.0 was reported to buildkit, in which runc delete returns with an error, with the log saying: > unable to destroy container: unable to remove container's cgroup: open /sys/fs/cgroup/snschvixiy3s74w74fjantrdg: no such file or directory Apparently, what happens is runc is running with no cgroup access (because /sys/fs/cgroup is mounted read-only). In this case error to create a cgroup path (in runc create/run) is ignored, but cgroup removal (in runc delete) is not. This is caused by commit d3d7f7d, which changes the cgroup removal logic in RemovePath. In the current code, if the initial rmdir has failed (in this case with EROFS), but the subsequent os.ReadDir returns ENOENT, it is returned (instead of being ignored -- as the path does not exist and so there is nothing to remove). Here is the minimal fix for the issue. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
diff --git a/libcontainer/cgroups/utils.go b/libcontainer/cgroups/utils.go
@@ -257,7 +257,10 @@ func RemovePath(path string) error {
 	}
 
 	infos, err := os.ReadDir(path)
-	if err != nil && !os.IsNotExist(err) {
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
 		return err
 	}
 	for _, info := range infos {

Original file line number	Diff line number	Diff line change
`@@ -257,7 +257,10 @@ func RemovePath(path string) error {`
`257`	`257`	`}`
`258`	`258`
`259`	`259`	`infos, err := os.ReadDir(path)`
`260`		`- if err != nil && !os.IsNotExist(err) {`
	`260`	`+ if err != nil {`
	`261`	`+ if os.IsNotExist(err) {`
	`262`	`+ return nil`
	`263`	`+ }`
`261`	`264`	`return err`
`262`	`265`	`}`
`263`	`266`	`for _, info := range infos {`