Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: oci: enter cgroup before executing crun as non-root (release-3.11) #1544

Merged
merged 1 commit into from
Apr 13, 2023
Merged

fix: oci: enter cgroup before executing crun as non-root (release-3.11) #1544

merged 1 commit into from
Apr 13, 2023

Conversation

dtrudg
Copy link
Member

@dtrudg dtrudg commented Apr 12, 2023

Description of the Pull Request (PR):

Pick #1539

When executed from a root-owned cgroup, such as the session scope resulting from a bare ssh login, crun will fail to create our requested container cgroup.

If we are running as non-root, create and move into a user-owned cgroup, so that there's a common user-owned ancestor. This avoids the crun error.

Note that no workaround is needed for runc as it is able to create the requested container cgroup without any issue.

This fixes or addresses the following GitHub issues:

Before submitting a PR, make sure you have done the following:

@dtrudg dtrudg added bug Something isn't working ci:e2e backport Backport this to stable version labels Apr 12, 2023
@dtrudg dtrudg added this to the SingularityCE 3.11.2 milestone Apr 12, 2023
@dtrudg dtrudg self-assigned this Apr 12, 2023
@dtrudg dtrudg marked this pull request as ready for review April 12, 2023 10:35
@dtrudg
fix: oci: enter cgroup before executing crun as non-root (release-3.11)
7361cf4 
When executed from a root-owned cgroup, such as the session scope
resulting from a bare ssh login, crun will fail to create our
requested container cgroup.

If we are running as non-root, create and move into a user-owned
cgroup, so that there's a common user-owned ancestor. This avoids the
`crun` error.

Note that no workaround is needed for `runc` as it is able to create
the requested container cgroup without any issue.

Fixes sylabs#1538
@dtrudg dtrudg merged commit e5ff387 into sylabs:release-3.11 Apr 13, 2023
@dtrudg dtrudg deleted the pick-1539 branch April 13, 2023 15:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wobito wobito wobito approved these changes

Assignees

@dtrudg dtrudg

Labels
backport Backport this to stable version bug Something isn't working ci:e2e
Projects
None yet
Milestone
SingularityCE 3.11.2
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@dtrudg @wobito