[1.4] runc exec: use CLONE_INTO_CGROUP #4920
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
Author
|
@kolyshkin I'm guessing you still wanted this for 1.4, right? |
Member
Member
Author
|
Ah, typo -- I did |
cyphar
force-pushed
the
1.4-cgroup-clone-into-cgroup
branch
from
12534f8 to
40fb0c2
Compare
Member
|
@cyphar Need rebase and resolve the conflicts. |
This fixes the following warning (seen on Fedora 42 and Ubuntu 24.04): + sudo chown -R rootless.rootless /home/rootless chown: warning: '.' should be ':': ‘rootless.rootless’ Signed-off-by: Kir Kolyshkin <[email protected]> (cherry picked from commit 7d6848f) Signed-off-by: Aleksa Sarai <[email protected]>
Signed-off-by: Kir Kolyshkin <[email protected]> (cherry picked from commit b39e0d6) Signed-off-by: Aleksa Sarai <[email protected]>
The main idea is to maintain the code separately (and eventually kill V1 implementation). Signed-off-by: Kir Kolyshkin <[email protected]> (cherry picked from commit 5560020) Signed-off-by: Aleksa Sarai <[email protected]>
Remove cgroupPaths field from struct setnsProcess, because: - we can get base cgroup paths from p.manager.GetPaths(); - we can get sub-cgroup paths from p.process.SubCgroupPaths. But mostly because we are going to need separate cgroup paths when adopting cgroups.AddPid. Signed-off-by: Kir Kolyshkin <[email protected]> (cherry picked from commit 5730a14) Signed-off-by: Aleksa Sarai <[email protected]>
The main benefit here is when we are using a systemd cgroup driver, we actually ask systemd to add a PID, rather than doing it ourselves. This way, we can add rootless exec PID to a cgroup. This requires newer opencontainers/cgroups and coreos/go-systemd. Signed-off-by: Kir Kolyshkin <[email protected]> (cherry picked from commit 37b5acc) Signed-off-by: Aleksa Sarai <[email protected]>
It makes sense to make runc exec benefit from clone2(CLONE_INTO_CGROUP), if it is available. Since it requires a recent kernel and might not work, implement a fallback to older way of joining the cgroup. Based on: - https://go-review.googlesource.com/c/go/+/417695 - coreos/go-systemd#458 - opencontainers/cgroups#26 - opencontainers#4822 Signed-off-by: Kir Kolyshkin <[email protected]> (cherry picked from commit 5af4dd4) Signed-off-by: Aleksa Sarai <[email protected]>
cyphar
force-pushed
the
1.4-cgroup-clone-into-cgroup
branch
from
40fb0c2 to
d792f9f
Compare
Member
Author
|
@lifubang Done. |
lifubang
approved these changes
Oct 8, 2025
This was referenced Oct 8, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #4822 and #4812.
It makes sense to make runc exec benefit from
clone2(CLONE_INTO_CGROUP), whenavailable. Since it requires a recent kernel and might not work, implement a fallback.
Based on:
Signed-off-by: Kir Kolyshkin [email protected]
Signed-off-by: Aleksa Sarai [email protected]