create/run/exec: refuse a frozen cgroup

This bugged me a few times during runc development. A new container is run, and runc init is stuck, 🎶 and nothing ever happens, and I wonder... 🎶 Figuring out that the cause of it is (pre-created) frozen cgroup is not very obvious. In fact, we should not try to run a new runc init process if a cgroup is frozen -- nothing good will come out of it. Add a check that the container cgroup is not frozen before trying to start runc init. A (very bad) alternative to that would be to thaw the cgroup. Add a test case checking that all three runc commands (create, run, and exec) refuse to proceed if the cgroup is frozen. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
opencontainers · Aug 5, 2021 · c28a49a · c28a49a
1 parent 9009c91
commit c28a49a
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
@@ -233,6 +233,9 @@ func (c *linuxContainer) Start(process *Process) error {
 	if c.config.Cgroups.Resources.SkipDevices {
 		return &ConfigError{"can't start container with SkipDevices set"}
 	}
+	if p, err := c.isPaused(); err == nil && p {
+		return errors.New("container cgroup is frozen")
+	}
 	if process.Init {
 		if err := c.createExecFifo(); err != nil {
 			return err

diff --git a/tests/integration/cgroups.bats b/tests/integration/cgroups.bats
@@ -282,3 +282,32 @@ function setup() {
 	[ "$status" -eq 0 ]
 	[ "$(wc -l <<<"$output")" -eq 1 ]
 }
+
+@test "runc run should refuse to start if cgroup is frozen)" {
+        if [[ "$ROOTLESS" -ne 0 ]]; then
+                requires rootless_cgroup
+        fi
+        requires cgroups_freezer
+
+	set_cgroups_path
+
+	runc run -d --console-socket "$CONSOLE_SOCKET" ct1
+	[ "$status" -eq 0 ]
+	runc pause ct1
+	[ "$status" -eq 0 ]
+
+	# Check that exec, run, and start all fail.
+	runc exec ct1 echo ok
+	[ "$status" -eq 255 ]
+	[[ "$output" == *"container cgroup is frozen"* ]]
+
+	# Run a second container sharing the cgroup with the first one.
+	runc run -d --console-socket "$CONSOLE_SOCKET" ct2
+	[ "$status" -ne 0 ]
+	[[ "$output" == *"container cgroup is frozen"* ]]
+
+	# Same but using runc create
+	runc create --console-socket "$CONSOLE_SOCKET" ct3
+	[ "$status" -ne 0 ]
+	[[ "$output" == *"container cgroup is frozen"* ]]
+}