Remove remaining nested container artifacts, re-add cgroup chowning

executor/runtime/docker/capabilities.go

@@ -38,7 +38,7 @@ func setupAdditionalCapabilities(c *runtimeTypes.Container, hostCfg *container.H
 	if err != nil {
 		return err
 	}
-	if fuseEnabled || c.TitusInfo.GetAllowNestedContainers() {
+	if fuseEnabled {
 		if _, ok := addedCapabilities[SYS_ADMIN]; !ok {
 			hostCfg.CapAdd = append(hostCfg.CapAdd, SYS_ADMIN)
 		}
@@ -56,6 +56,7 @@ func setupAdditionalCapabilities(c *runtimeTypes.Container, hostCfg *container.H
 		seccompProfile = "fuse-container.json"
 
 	}
+
 	// We can do this here because nested containers can do everything fuse containers can
 	if c.TitusInfo.GetAllowNestedContainers() {
 		return errors.New("Nested containers no longer supported")

executor/runtime/docker/docker.go

@@ -489,12 +489,12 @@ func (r *DockerRuntime) dockerConfig(c *runtimeTypes.Container, binds []string,
 
 	// Always setup tmpfs: it's needed to ensure Metatron credentials don't persist across reboots and for SystemD to work
 	hostCfg.Tmpfs = map[string]string{
-		"/run": "rw,exec,suid,size=" + defaultRunTmpFsSize,
+		"/run": "rw,exec,size=" + defaultRunTmpFsSize,
 	}
 
 	if c.IsSystemD {
 		// systemd requires `/run/lock` to be a separate mount from `/run`
-		hostCfg.Tmpfs["/run/lock"] = "rw,noexec,nosuid,size=" + defaultRunLockTmpFsSize
+		hostCfg.Tmpfs["/run/lock"] = "rw,exec,size=" + defaultRunLockTmpFsSize
 	}
 
 	if r.storageOptEnabled {
@@ -1728,6 +1728,11 @@ func (r *DockerRuntime) setupPostStartLogDirTiniHandleConnection2(parentCtx cont
 		return err
 	}
 
+	if err := setCgroupOwnership(parentCtx, c, cred); err != nil {
+		log.Error("Unable to setup container nesting: ", err)
+		return err
+	}
+
 	/* This can be "broken" if the titus-executor crashes. The link will be dangling, and point to a
 	 * /proc/${PID}/fd/${FD}. It's not "bad", because Titus Task names should be unique
 	 */

executor/runtime/docker/docker_linux.go

@@ -181,6 +181,42 @@ func cleanupCgroups(cgroupPath string) error {
 	return nil
 }
 
+func setCgroupOwnership(parentCtx context.Context, c *runtimeTypes.Container, cred ucred) error {
+	if !c.IsSystemD {
+		return nil
+	}
+
+	cgroupPath := filepath.Join("/proc/", strconv.FormatInt(int64(cred.pid), 10), "cgroup")
+	cgroups, err := ioutil.ReadFile(cgroupPath) // nolint: gosec
+	if err != nil {
+		return err
+	}
+	var ret error
+	for _, line := range strings.Split(string(cgroups), "\n") {
+		cgroupInfo := strings.Split(strings.TrimSpace(line), ":")
+		if len(cgroupInfo) != 3 {
+			continue
+		}
+		controllerType := cgroupInfo[1]
+		if len(controllerType) == 0 {
+			continue
+		}
+		// This is to handle the name=systemd cgroup, we should probably parse /proc/mounts, but this is a little bit easier
+		controllerType = strings.TrimPrefix(controllerType, "name=")
+		if controllerType != "systemd" {
+			continue
+		}
+
+		// systemd needs to be the owner of its systemd cgroup in order to start up
+		controllerPath := cgroupInfo[2]
+		fsPath := filepath.Join(sysFsCgroup, controllerType, controllerPath)
+		logrus.Infof("chowning systemd cgroup path: %s", fsPath)
+		return os.Chown(fsPath, int(cred.uid), int(cred.gid))
+	}
+
+	return nil
+}
+
 func setupOOMAdj(c *runtimeTypes.Container, cred ucred) error {
 	oomScore := 1000
 

executor/runtime/docker/docker_unsupported.go

@@ -38,6 +38,10 @@ func cleanupCgroups(cgroupPath string) error {
 	return errUnsupported
 }
 
+func setCgroupOwnership(parentCtx context.Context, c *runtimeTypes.Container, cred ucred) error {
+	return errUnsupported
+}
+
 func setupOOMAdj(c *runtimeTypes.Container, cred ucred) error {
 	return errUnsupported
 }

executor/runtime/docker/seccomp/Makefile

@@ -2,6 +2,6 @@
 
 all: seccomp.go
 
-seccomp.go: default.json nested-container.json fuse-container.json
-	go-bindata -pkg seccomp -o seccomp.go default.json nested-container.json fuse-container.json
+seccomp.go: default.json fuse-container.json
+	go-bindata -pkg seccomp -o seccomp.go default.json fuse-container.json