This repository has been archived by the owner on Mar 9, 2022. It is now read-only.
cgroup2: unshare cgroup namespace for containers #1371
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In cgroup v1 container implementations, cgroupns is not used by default because it was not available in the kernel until kernel 4.6 (May 2016), and the default behavior will not change on cgroup v1 environments, because changing the default will break compatibility and surprise users. For cgroup v2, implementations are going to unshare cgroupns by default so as to hide /sys/fs/cgroup from containers. * Discussion: containers/podman#4363 * Podman PR (merged): containers/podman#4374 * Moby PR: moby/moby#40174 This PR enables cgroupns for containers, but pod sandboxes are untouched because probably there is no need to do. Signed-off-by: Akihiro Suda <[email protected]>
|
cc @giuseppe @mrunalp @saschagrunert for consistency with CRI-O I'm not sure we should also unshare cgroupns for pod sandboxes. RFC. |
11 tasks
|
/test pull-cri-containerd-node-e2e |
|
/lgtm |
thanks, I've opened a PR for CRI-O as well: cri-o/cri-o#3098 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In cgroup v1 container implementations, cgroupns is not used by default because
it was not available in the kernel until kernel 4.6 (May 2016), and the default
behavior will not change on cgroup v1 environments, because changing the
default will break compatibility and surprise users.
For cgroup v2, implementations are going to unshare cgroupns by default
so as to hide /sys/fs/cgroup from containers.
This PR enables cgroupns for containers, but pod sandboxes are untouched
because probably there is no need to do.