diff --git a/executor/oci/spec.go b/executor/oci/spec.go index 96aff5ffac55..849a70b90b5c 100644 --- a/executor/oci/spec.go +++ b/executor/oci/spec.go @@ -138,7 +138,7 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou return nil, nil, err } - if cgroupNamespaceSupported() { + if cgroupV2NamespaceSupported() { s.Linux.Namespaces = append(s.Linux.Namespaces, specs.LinuxNamespace{ Type: specs.CgroupNamespace, }) diff --git a/executor/oci/spec_freebsd.go b/executor/oci/spec_freebsd.go index 2707c6b4d887..abb18799de77 100644 --- a/executor/oci/spec_freebsd.go +++ b/executor/oci/spec_freebsd.go @@ -56,6 +56,6 @@ func getTracingSocket() string { return "" } -func cgroupNamespaceSupported() bool { +func cgroupV2NamespaceSupported() bool { return false } diff --git a/executor/oci/spec_linux.go b/executor/oci/spec_linux.go index cd9912b906be..e86834358e94 100644 --- a/executor/oci/spec_linux.go +++ b/executor/oci/spec_linux.go @@ -148,11 +148,19 @@ func getTracingSocket() string { return fmt.Sprintf("unix://%s", tracingSocketPath) } -func cgroupNamespaceSupported() bool { +func cgroupV2NamespaceSupported() bool { + // Check if cgroups v2 namespaces are supported. Trying to do cgroup + // namespaces with cgroups v1 results in EINVAL when we encounter a + // non-standard hierarchy. + // See https://github.com/moby/buildkit/issues/4108 cgroupNSOnce.Do(func() { - if _, err := os.Stat("/proc/self/ns/cgroup"); !os.IsNotExist(err) { - supportsCgroupNS = true + if _, err := os.Stat("/proc/self/ns/cgroup"); os.IsNotExist(err) { + return } + if _, err := os.Stat("/sys/fs/cgroup/cgroup.subtree_control"); os.IsNotExist(err) { + return + } + supportsCgroupNS = true }) return supportsCgroupNS } diff --git a/executor/oci/spec_windows.go b/executor/oci/spec_windows.go index 0201bcd7689d..63266bb640fe 100644 --- a/executor/oci/spec_windows.go +++ b/executor/oci/spec_windows.go @@ -97,6 +97,6 @@ func getTracingSocket() string { return fmt.Sprintf("npipe://%s", filepath.ToSlash(tracingSocketPath)) } -func cgroupNamespaceSupported() bool { +func cgroupV2NamespaceSupported() bool { return false }