oci: make sure cgroupns is enabled if supported

tonistiigi · tonistiigi · commit c96364913ef6 · 2023-07-07T15:15:55.000-07:00
Signed-off-by: Tonis Tiigi &lt;tonistiigi@gmail.com&gt;
diff --git a/executor/oci/spec.go b/executor/oci/spec.go
@@ -137,6 +137,12 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou
 		return nil, nil, err
 	}
 
+	if cgroupNamespaceSupported() {
+		s.Linux.Namespaces = append(s.Linux.Namespaces, specs.LinuxNamespace{
+			Type: specs.CgroupNamespace,
+		})
+	}
+
 	if len(meta.Ulimit) == 0 {
 		// reset open files limit
 		s.Process.Rlimits = nil
diff --git a/executor/oci/spec_unix.go b/executor/oci/spec_unix.go
@@ -6,7 +6,9 @@ package oci
 import (
 	"context"
 	"fmt"
+	"os"
 	"strings"
+	"sync"
 
 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/oci"
@@ -21,6 +23,11 @@ import (
 	"github.com/pkg/errors"
 )
 
+var (
+	cgroupNSOnce     sync.Once
+	supportsCgroupNS bool
+)
+
 const (
 	tracingSocketPath = "/dev/otel-grpc.sock"
 )
@@ -139,3 +146,12 @@ func getTracingSocketMount(socket string) specs.Mount {
 func getTracingSocket() string {
 	return fmt.Sprintf("unix://%s", tracingSocketPath)
 }
+
+func cgroupNamespaceSupported() bool {
+	cgroupNSOnce.Do(func() {
+		if _, err := os.Stat("/proc/self/ns/cgroup"); !os.IsNotExist(err) {
+			supportsCgroupNS = true
+		}
+	})
+	return supportsCgroupNS
+}
diff --git a/executor/oci/spec_windows.go b/executor/oci/spec_windows.go
@@ -63,3 +63,7 @@ func getTracingSocketMount(socket string) specs.Mount {
 func getTracingSocket() string {
 	return fmt.Sprintf("npipe://%s", filepath.ToSlash(tracingSocketPath))
 }
+
+func cgroupNamespaceSupported() bool {
+	return false
+}

Original file line number	Diff line number	Diff line change
`@@ -63,3 +63,7 @@ func getTracingSocketMount(socket string) specs.Mount {`
`63`	`63`	`func getTracingSocket() string {`
`64`	`64`	`return fmt.Sprintf("npipe://%s", filepath.ToSlash(tracingSocketPath))`
`65`	`65`	`}`
	`66`	`+`
	`67`	`+func cgroupNamespaceSupported() bool {`
	`68`	`+ return false`
	`69`	`+}`