[backport] chown cgroup to process uid in container namespace#3311
[backport] chown cgroup to process uid in container namespace#3311frasertweedale wants to merge 1 commit intoopencontainers:release-1.0from
Conversation
Delegating cgroups to the container enables more complex workloads, including systemd-based workloads. The OCI runtime-spec was recently updated to explicitly admit such delegation, through specification of cgroup ownership semantics: opencontainers/runtime-spec#1123 Pursuant to the updated OCI runtime-spec, change the ownership of the container's cgroup directory and particular files therein, when using cgroups v2 and when the cgroupfs is to be mounted read/write. As a result of this change, systemd workloads can run in isolated user namespaces on OpenShift when the sandbox's cgroupfs is mounted read/write. It might be possible to implement this feature in other cgroup managers, but that work is deferred. Signed-off-by: Fraser Tweedale <[email protected]>
AkihiroSuda
left a comment
AkihiroSuda
left a comment
There was a problem hiding this comment.
I don't think this is safe to backport.
|
@AkihiroSuda what are your concerns? |
cyphar
left a comment
cyphar
left a comment
There was a problem hiding this comment.
We will be doing a 1.1 release soon, which will include this patch. I don't think we have plans for another 1.0.x unless it's really necessary, so this patch doesn't need to be backported. It also is implementing a new runtime-spec feature which makes it not really eligible for backporting in the first place.
As for the safety point, there have been a lot of changes in the cgroup code in main which haven't been backported to release-1.0 which also makes me slightly nervous.
|
OK, wasn't aware of the timeline for 1.1. I'll close this PR. |
|
1.0.x is a maintenance branch -- i.e. this is mostly for security and bug fixes. Unless the lack of a feature is critical, we do not add new features. |
4 participants
(backport of #3057)
Delegating cgroups to the container enables more complex workloads,
including systemd-based workloads. The OCI runtime-spec was
recently updated to explicitly admit such delegation, through
specification of cgroup ownership semantics:
opencontainers/runtime-spec#1123
Pursuant to the updated OCI runtime-spec, change the ownership of
the container's cgroup directory and particular files therein, when
using cgroups v2 and when the cgroupfs is to be mounted read/write.
As a result of this change, systemd workloads can run in isolated
user namespaces on OpenShift when the sandbox's cgroupfs is mounted
read/write.
It might be possible to implement this feature in other cgroup
managers, but that work is deferred.