Ensure rootless containers work on v1

2024-09-19 18:37:40 +02:00 · 2021-11-25 20:25:22 +01:00 · 2021-11-25 20:25:22 +01:00 · f92b265b80
commit f92b265b80
parent 9cff02435b
2 changed files with 22 additions and 10 deletions
--- a/crates/libcontainer/src/process/container_intermediate_process.rs
+++ b/crates/libcontainer/src/process/container_intermediate_process.rs
@ -22,6 +22,23 @@ pub fn container_intermediate_process(
    let linux = spec.linux().as_ref().context("no linux in spec")?;
    let namespaces = Namespaces::from(linux.namespaces().as_ref());

+    // this needs to be done before we create the init process, so that the init
+    // process will already be captured by the cgroup. It also needs to be done
+    // before we enter the user namespace because if a privileged user starts a
+    // rootless container on a cgroup v1 system we can still fullfill resource
+    // restrictions through the cgroup fs support (delegation through systemd is
+    // not supported for v1 by us). This only works if the user has not yet been
+    // mapped to an unprivileged user by the user namespace however.
+    // In addition this needs to be done before we enter the cgroup namespace as
+    // the cgroup of the process will form the root of the cgroup hierarchy in
+    // the cgroup namespace.
+    apply_cgroups(
+        args.cgroup_manager.as_ref(),
+        linux.resources().as_ref(),
+        args.init,
+    )
+    .context("failed to apply cgroups")?;
+
    // if new user is specified in specification, this will be true and new
    // namespace will be created, check
    // https://man7.org/linux/man-pages/man7/user_namespaces.7.html for more
@ -66,16 +83,6 @@ pub fn container_intermediate_process(
            .with_context(|| format!("Failed to enter pid namespace: {:?}", pid_namespace))?;
    }

-    // this needs to be done before we create the init process, so that the init
-    // process will already be captured by the cgroup
-
-    apply_cgroups(
-        args.cgroup_manager.as_ref(),
-        linux.resources().as_ref(),
-        args.init,
-    )
-    .context("failed to apply cgroups")?;
-
    // We have to record the pid of the child (container init process), since
    // the child will be inside the pid namespace. We can't rely on child_ready
    // to send us the correct pid.
--- a/crates/youki/src/main.rs
+++ b/crates/youki/src/main.rs
@ -112,6 +112,11 @@ fn main() -> Result<()> {
        eprintln!("log init failed: {:?}", e);
    }

+    log::debug!(
+        "started by user {} with {:?}",
+        nix::unistd::geteuid(),
+        std::env::args_os()
+    );
    let root_path = determine_root_path(opts.root)?;
    let systemd_cgroup = opts.systemd_cgroup;