Skip to content

cgroup2: exec: join the cgroup of the init process on EBUSY #2416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mrunalp merged 1 commit into from
May 31, 2020
Merged

cgroup2: exec: join the cgroup of the init process on EBUSY #2416

mrunalp merged 1 commit into from
May 31, 2020

Conversation

@AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented May 19, 2020
edited
Loading

Fix #2356.

Contains #2418

Note: this behavior is different from crun v0.13.
crun joins "crun-exec` group rather than the init group: containers/crun@af1080b
The next version of crun will switch to the init cgroup: containers/crun#365

@AkihiroSuda AkihiroSuda mentioned this pull request May 19, 2020
Closed
@kolyshkin kolyshkin mentioned this pull request May 19, 2020
Closed
@AkihiroSuda AkihiroSuda force-pushed the exec-join-init-cgroup branch 4 times, most recently from e93631c to dc133ec Compare May 19, 2020 15:35
@kolyshkin kolyshkin mentioned this pull request May 19, 2020
Merged
@AkihiroSuda AkihiroSuda force-pushed the exec-join-init-cgroup branch 2 times, most recently from 4ece281 to 9643a87 Compare May 19, 2020 23:43
@AkihiroSuda AkihiroSuda marked this pull request as ready for review May 19, 2020 23:45
@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented May 21, 2020

@kolyshkin @cyphar @giuseppe PTAL

giuseppe
giuseppe reviewed May 21, 2020
View reviewed changes
libcontainer/process_linux.go
// On cgroup v2 + nesting + domain controllers, EnterPid may fail with EBUSY.
// https://github.com/opencontainers/runc/issues/2356#issuecomment-621277643
// Try to join the cgroup of InitProcessPid.
if cgroups.IsCgroup2UnifiedMode() {
Copy link
Member

@giuseppe giuseppe May 21, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should it not be done only with err == EBUSY?

Copy link
Member Author

@AkihiroSuda AkihiroSuda May 22, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess it is worth trying to join pid1 even on other errors

Copy link
Contributor

@kolyshkin kolyshkin Sep 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AkihiroSuda this decision (try to join pid1 on every error) can be problematic.

I've seen case (in #4812 (comment)) in which the container init is moved to an entirely different cgroup (I'm not sure by whom, but suspect it's some GHA CI infra software). Once this happens, the container's limits, as configured in OCI spec, are no longer applied. Next, we call runc exec and it succeeds (thanks to the patch in this PR), but I'd rather have it failed, because something very bad has happened.

Copy link
Member

@cyphar cyphar Sep 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also somewhat question this idea in the first place -- administrative cgroup moves are generally not blocked by the cgroup infrastructure (this is an explicit design goal). I think you would only get this case with frozen cgroups, in which case an error is kind of reasonable IMHO?

@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented May 25, 2020

@kolyshkin @mrunalp PTAL

@AkihiroSuda AkihiroSuda mentioned this pull request May 27, 2020
Closed
mrunalp
mrunalp reviewed May 27, 2020
View reviewed changes
mrunalp
mrunalp reviewed May 27, 2020
View reviewed changes
@mrunalp
Copy link
Contributor

mrunalp commented May 27, 2020

Added one comment about removing the warning otherwise looks ready to merge. Thanks!

@AkihiroSuda AkihiroSuda force-pushed the exec-join-init-cgroup branch from 9643a87 to 5099176 Compare May 27, 2020 23:39
@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented May 27, 2020

updated

@mrunalp
Copy link
Contributor

mrunalp commented May 27, 2020

Thanks, will tag once tests pass again.

@mrunalp
Copy link
Contributor

mrunalp commented May 27, 2020
edited by AkihiroSuda
Loading

LGTM

Approved with PullApprove

@mrunalp
Copy link
Contributor

mrunalp commented May 28, 2020

@kolyshkin @cyphar ptal

@AkihiroSuda AkihiroSuda added this to the 1.0.0-rc90 (tentative) milestone May 28, 2020
kolyshkin
kolyshkin reviewed May 29, 2020
View reviewed changes
@AkihiroSuda AkihiroSuda force-pushed the exec-join-init-cgroup branch from 5099176 to b502a4b Compare May 30, 2020 04:12
mrunalp
mrunalp previously approved these changes May 30, 2020
View reviewed changes
Copy link
Contributor

@mrunalp mrunalp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

kolyshkin
kolyshkin reviewed May 30, 2020
View reviewed changes
kolyshkin
kolyshkin previously approved these changes May 30, 2020
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a nit with whitespace, but LGTM overall

@AkihiroSuda AkihiroSuda dismissed stale reviews from kolyshkin and mrunalp via c91fe9a May 31, 2020 04:09
@AkihiroSuda AkihiroSuda force-pushed the exec-join-init-cgroup branch from b502a4b to c91fe9a Compare May 31, 2020 04:09
@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented May 31, 2020

fixed

kolyshkin
kolyshkin approved these changes May 31, 2020
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

mrunalp
mrunalp approved these changes May 31, 2020
View reviewed changes
Copy link
Contributor

@mrunalp mrunalp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mrunalp mrunalp merged commit 0f7ffbe into opencontainers:master May 31, 2020
@cyphar cyphar mentioned this pull request Sep 17, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cyphar cyphar cyphar left review comments

@kolyshkin kolyshkin kolyshkin approved these changes

@mrunalp mrunalp mrunalp approved these changes

+1 more reviewer

@giuseppe giuseppe giuseppe left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/cgroupv2

Projects

None yet

Milestone

1.0.0-rc91 (nee rc11)

Development

Successfully merging this pull request may close these issues.

cgroup2: how can we support nested containers with domain controllers?

5 participants

@AkihiroSuda @mrunalp @giuseppe @cyphar @kolyshkin