namespaces: by default create cgroupns on cgroups v2 #4374
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
approved
giuseppe
force-pushed
the
create-cgroupns-by-default-on-cgroupsv2
branch
from
439b243
to
245dc68
Compare
giuseppe
force-pushed
the
create-cgroupns-by-default-on-cgroupsv2
branch
from
245dc68
to
9eeb4e6
Compare
|
tests is failing with: [+0318s] Error: could not get runtime: please update to v2.0.1 or later: outdated conmon version |
|
That's very curious. We merged the PR yesterday and all checks were green -> https://github.com/containers/libpod/pull/3792/checks |
|
@cevich @haircommander PTAL |
|
So I had to manually push a version of the in_podman image that updated conmon. The in_podman image is updated as a post merge task on every PR. It seems any PR that isn't rebased to the new Dockerfile (with the new conmon) updates this image, and breaks subsequent PRs. I am not sure if there is a better work around other than rebasing ever live PR, and pushing the image manually until it's fixed... wdyt @cevich |
|
LGTM |
That was my bad, totally forgot that quay.io was set to re-build that image from |
|
@vrothberg @mheon @baude @TomSweeneyRedHat @QiWang19 @jwhonce Tests are passing, can we get this merged. |
| @@ -132,7 +132,7 @@ func getCreateFlags(c *cliconfig.PodmanCommand) { | |||
| "Drop capabilities from the container", | |||
| ) | |||
| createFlags.String( | |||
| "cgroupns", "host", | |||
| "cgroupns", "", | |||
There was a problem hiding this comment.
Can't we dynamically set the default like we do for a few other things? A bit less ugly than special-casing the empty string
There was a problem hiding this comment.
I was thinking about that, but one potential issue would be, if we default the CLI based on when the container was created, and the user switched cgroups, it could cause issues with existing containers.
There was a problem hiding this comment.
Existing containers are an issue either way - this is all done at spec generation time, it'll be in the final, immutable spec that we put in the DB
There was a problem hiding this comment.
I'd prefer we don't add this logic to the cmd/ package if possible.
Also, we need to be able to catch errors in the cgroups v2 detection. If we move it here, we would need to either ignore the error or panic.
|
☔ The latest upstream changes (presumably #4354) made this pull request unmergeable. Please resolve the merge conflicts. |
giuseppe
force-pushed
the
create-cgroupns-by-default-on-cgroupsv2
branch
from
9eeb4e6
to
1ba9902
Compare
|
rebased |
|
What should be the default value for |
giuseppe
force-pushed
the
create-cgroupns-by-default-on-cgroupsv2
branch
from
1ba9902
to
8a4ee14
Compare
Good point! I think we should keep |
True, but privileged containers still unshare other namespaces except User Namespace? |
|
I agree with @AkihiroSuda. --privileged should not modify the default behaviour of namespaces. |
change the default on cgroups v2 and create a new cgroup namespace. When a cgroup namespace is used, processes inside the namespace are only able to see cgroup paths relative to the cgroup namespace root and not have full visibility on all the cgroups present on the system. The previous behaviour is maintained on a cgroups v1 host, where a cgroup namespace is not created by default. Closes: containers#4363 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
force-pushed
the
create-cgroupns-by-default-on-cgroupsv2
branch
from
8a4ee14
to
b8514ca
Compare
ok I've reverted the change |
|
LGTM |
|
/lgtm |
For cgroup v1, we were unable to change the default because of compatibility issue. For cgroup v2, we should change the default right now because switching to cgroup v2 is already breaking change. See also containers/podman#4363 containers/podman#4374 Privileged containers also use cgroupns=private by default. containers/podman#4374 (comment) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
In cgroup v1 container implementations, cgroupns is not used by default because it was not available in the kernel until kernel 4.6 (May 2016), and the default behavior will not change on cgroup v1 environments, because changing the default will break compatibility and surprise users. For cgroup v2, implementations are going to unshare cgroupns by default so as to hide /sys/fs/cgroup from containers. * Discussion: containers/podman#4363 * Podman PR (merged): containers/podman#4374 * Moby PR: moby/moby#40174 This PR enables cgroupns for containers, but pod sandboxes are untouched because probably there is no need to do. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
For cgroup v1, we were unable to change the default because of compatibility issue. For cgroup v2, we should change the default right now because switching to cgroup v2 is already breaking change. See also containers/podman#4363 containers/podman#4374 Privileged containers also use cgroupns=private by default. containers/podman#4374 (comment) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> Upstream-commit: 19baeaca267d5710907ac1b3c3972d44725fe8ad Component: engine
github-actions
bot
added
the
locked - please file new issue/PR
change the default on cgroups v2 and create a new cgroup namespace.
When a cgroup namespace is used, processes inside the namespace are
only able to see cgroup paths relative to the cgroup namespace root
and not have full visibility on all the cgroups present on the
system.
The previous behaviour is maintained on a cgroups v1 host, where a
cgroup namespace is not created by default.
Closes: #4363
Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com