[feature] enable --security-opt writable-cgroups=true|false as an option

Signed-off-by: ningmingxiao <[email protected]>

Author: ningmingxiao

cmd/nerdctl/container/container_run_cgroup_linux_test.go

@@ -134,7 +134,9 @@ func TestRunCgroupV2(t *testing.T) {
 	base.Cmd("exec", testutil.Identifier(t)+"-testUpdate2",
 		"cat", "cpu.max", "memory.max", "memory.swap.max", "memory.low",
 		"pids.max", "cpu.weight", "cpuset.cpus", "cpuset.mems").AssertOutExactly(expected2)
-
+	base.Cmd("run", "--rm", "--security-opt", "writable-cgroups=true", testutil.AlpineImage, "mkdir", "/sys/fs/cgroup/foo").AssertOK()
+	base.Cmd("run", "--rm", "--security-opt", "writable-cgroups=false", testutil.AlpineImage, "mkdir", "/sys/fs/cgroup/foo").AssertFail()
+	base.Cmd("run", "--rm", testutil.AlpineImage, "mkdir", "/sys/fs/cgroup/foo").AssertFail()
 }
 
 func TestRunCgroupV1(t *testing.T) {
@@ -176,6 +178,9 @@ func TestRunCgroupV1(t *testing.T) {
 	const expected = "42000\n100000\n0\n44040192\n6291456\n104857600\n0\n42\n2000\n0-1\n"
 	base.Cmd("run", "--rm", "--cpus", "0.42", "--cpuset-mems", "0", "--memory", "42m", "--memory-reservation", "6m", "--memory-swap", "100m", "--memory-swappiness", "0", "--pids-limit", "42", "--cpu-shares", "2000", "--cpuset-cpus", "0-1", testutil.AlpineImage, "cat", quota, period, cpusetMems, memoryLimit, memoryReservation, memorySwap, memorySwappiness, pidsLimit, cpuShare, cpusetCpus).AssertOutExactly(expected)
 	base.Cmd("run", "--rm", "--cpu-quota", "42000", "--cpu-period", "100000", "--cpuset-mems", "0", "--memory", "42m", "--memory-reservation", "6m", "--memory-swap", "100m", "--memory-swappiness", "0", "--pids-limit", "42", "--cpu-shares", "2000", "--cpuset-cpus", "0-1", testutil.AlpineImage, "cat", quota, period, cpusetMems, memoryLimit, memoryReservation, memorySwap, memorySwappiness, pidsLimit, cpuShare, cpusetCpus).AssertOutExactly(expected)
+	base.Cmd("run", "--rm", "--security-opt", "writable-cgroups=true", testutil.AlpineImage, "mkdir", "/sys/fs/cgroup/pids/foo").AssertOK()
+	base.Cmd("run", "--rm", "--security-opt", "writable-cgroups=false", testutil.AlpineImage, "mkdir", "/sys/fs/cgroup/pids/foo").AssertFail()
+	base.Cmd("run", "--rm", testutil.AlpineImage, "mkdir", "/sys/fs/cgroup/pids/foo").AssertFail()
 }
 
 // TestIssue3781 tests https://github.com/containerd/nerdctl/issues/3781

docs/command-reference.md

@@ -244,6 +244,7 @@ Security flags:
 - :whale: `--security-opt apparmor=<PROFILE>`: specify custom AppArmor profile
 - :whale: `--security-opt no-new-privileges`: disallow privilege escalation, e.g., setuid and file capabilities
 - :whale: `--security-opt systempaths=unconfined`: Turn off confinement for system paths (masked paths, read-only paths) for the container
+- :whale: `--security-opt writable-cgroups`: making the cgroups writeable
 - :nerd_face: `--security-opt privileged-without-host-devices`: Don't pass host devices to privileged containers
 - :whale: `--cap-add=<CAP>`: Add Linux capabilities
 - :whale: `--cap-drop=<CAP>`: Drop Linux capabilities

pkg/cmd/container/run_security_linux.go

@@ -18,6 +18,8 @@ package container
 
 import (
 	"errors"
+	"fmt"
+	"strconv"
 	"strings"
 	"sync"
 
@@ -52,7 +54,7 @@ const (
 func generateSecurityOpts(privileged bool, securityOptsMap map[string]string) ([]oci.SpecOpts, error) {
 	for k := range securityOptsMap {
 		switch k {
-		case "seccomp", "apparmor", "no-new-privileges", "systempaths", "privileged-without-host-devices":
+		case "seccomp", "apparmor", "no-new-privileges", "systempaths", "privileged-without-host-devices", "writable-cgroups":
 		default:
 			log.L.Warnf("unknown security-opt: %q", k)
 		}
@@ -118,6 +120,15 @@ func generateSecurityOpts(privileged bool, securityOptsMap map[string]string) ([
 	if privilegedWithoutHostDevices && !privileged {
 		return nil, errors.New("flag `--security-opt privileged-without-host-devices` can't be used without `--privileged` enabled")
 	}
+	if value, ok := securityOptsMap["writable-cgroups"]; ok {
+		writable, err := strconv.ParseBool(value)
+		if err != nil {
+			return nil, fmt.Errorf("invalid \"writable-cgroups\" value: %q", value)
+		}
+		if writable {
+			opts = append(opts, oci.WithWriteableCgroupfs)
+		}
+	}
 
 	if privileged {
 		if privilegedWithoutHostDevices {