Skip to content

fix: cgroups: ensure cgroups device limits are default allow #790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 11, 2022
Merged

fix: cgroups: ensure cgroups device limits are default allow #790

merged 2 commits into from
May 11, 2022

Conversation

@dtrudg
Copy link
Member

@dtrudg dtrudg commented May 11, 2022

Description of the Pull Request (PR):

In singularity, cgroups device limits have always defaulted to allow-all. When a cgroups config is provided with no explicit device rules, no cgroups mediated device limits have applied.

We recently switched to runc/libcontainer/cgroups as our cgroups manager (from containerd/cgroups), and this applies a default deny rule for devices.

Revert to previous behavior by asking runc/libcontainer/cgroups to skip application of device limits if no limits are provided in the spec that has been passed.

This fixes or addresses the following GitHub issues:

Before submitting a PR, make sure you have done the following:

@dtrudg
fix: cgroups: ensure cgroups device limits are default allow
1f852df 
In singularity, cgroups device limits have always defaulted to
allow-all. When a cgroups config is provided with no explicit device
rules, no cgroups mediated device limits have applied.

We recently switched to runc/libcontainer/cgroups as our cgroups
manager (from containerd/cgroups), and this applies a default deny
rule for devices.

Revert to previous behavior by asking runc/libcontainer/cgroups to
skip application of device limits if no limits are provided in the
spec that has been passed.

Fixes sylabs#787
@dtrudg dtrudg added bug Something isn't working ci:e2e labels May 11, 2022
@dtrudg dtrudg added this to the SingularityCE 3.10 milestone May 11, 2022
@dtrudg dtrudg self-assigned this May 11, 2022
@dtrudg dtrudg marked this pull request as draft May 11, 2022 14:39
@dtrudg
e2e: remove units from instance stats test
5dce3ed 
The units GiB / KiB / MiB may or may not be present depending on the
specification of the system on which the tests are run, so we can't
insist they are present.
@dtrudg dtrudg marked this pull request as ready for review May 11, 2022 15:25
@dtrudg dtrudg merged commit 1764fdf into sylabs:master May 11, 2022
@dtrudg dtrudg deleted the issue787 branch May 11, 2022 16:57
This was referenced May 13, 2022
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tri-adam tri-adam tri-adam approved these changes

Assignees

@dtrudg dtrudg

Labels

bug Something isn't working ci:e2e

Projects

None yet

Milestone

SingularityCE 3.10

Development

Successfully merging this pull request may close these issues.

/dev/null: Operation not permitted when using cgroup, and running as root

2 participants

@dtrudg @tri-adam