Skip to content

Commit

Permalink
Cannot update devices cgroups when already in a user namespace
Browse files Browse the repository at this point in the history 
Therefore check for that.  This is a step to being able to run
docker/runc containers inside a user namespaced container.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
  • Loading branch information
@hallyn
hallyn committed Jan 7, 2016
1 parent f03b7f8 commit af6a5b6
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
4 changes: 4 additions & 0 deletions Godeps/Godeps.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 7 additions & 0 deletions libcontainer/cgroups/fs/devices.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
package fs

import (
"github.com/lxc/lxd/shared"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
)
Expand All @@ -15,6 +16,9 @@ func (s *DevicesGroup) Name() string {
}

func (s *DevicesGroup) Apply(d *cgroupData) error {
if shared.RunningInUserNS() {
return nil
}
dir, err := d.join("devices")
if err != nil {
// We will return error even it's `not found` error, devices
Expand All @@ -30,6 +34,9 @@ func (s *DevicesGroup) Apply(d *cgroupData) error {
}

func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {
if shared.RunningInUserNS() {
return nil
}
if !cgroup.Resources.AllowAllDevices {
if err := writeFile(path, "devices.deny", "a"); err != nil {
return err
Expand Down

0 comments on commit af6a5b6

Please sign in to comment.