[1.0] Don't freeze cgroup on update for systemd cgroup v2 #3092
Conversation
Run device update tests on cgroup v2, and add a test verifying that we don't allow access to devices when we don't intend to. Signed-off-by: Odin Ugedal <odin@uged.al> (cherry picked from commit d41a273) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Since device updates in cgroup v2 are atomic for systemd, there is no need to freeze the processes before running the updates. Signed-off-by: Odin Ugedal <odin@uged.al> (cherry picked from commit f33be7c, trivial conflict due to missing commit b60e2ed) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
kolyshkin
added
area/cgroupv2
area/ci
area/systemd
impact/changelog
backport/1.0-pr
|
It seems that |
The 1.0.x milestone is used for issues and PRs that are intended to be included in 1.0.x but are made against master, while backport/1.0-pr is for the actual backport PRs (making it a slightly more robust than just putting |
|
CI has failed on CentOS during merge commit testing: https://github.com/opencontainers/runc/runs/3081256160?check_suite_focus=true. This has definitely nothing to do with the code in here, but a manifestation of occasional "unable to freeze" on CentOS 7 which we see from time to time (and which I've tried to fix in #2941, #2918, #2791, #2774). I have checked and re-checked that in #3094 but got no more failures. Guess it was a glitch; hopefully we'll see less of that once #3088 is implemented. |
This is the first stable release in the 1.0 branch, fixing a few medium
and high priority issues with runc 1.0.0, including a few that affect
Kubernetes' usage of libcontainer.
Bugfixes:
- Fixed occasional runc exec/run failure ("interrupted system call") on an
Azure volume. ([#3074](opencontainers/runc#3074))
- Fixed "unable to find groups ... token too long" error with /etc/group
containing lines longer than 64K characters. ([#3079](opencontainers/runc#3079))
- cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
frozen. This is a regression in 1.0.0, not affecting runc itself but some
of libcontainer users (e.g Kubernetes). ([#3085](opencontainers/runc#3085))
- cgroupv2: bpf: Ignore inaccessible existing programs in case of
permission error when handling replacement of existing bpf cgroup
programs. This fixes a regression in 1.0.0, where some SELinux
policies would block runc from being able to run entirely. ([#3087](opencontainers/runc#3087))
- cgroup/systemd/v2: don't freeze cgroup on Set. ([#3092](opencontainers/runc#3092))
- cgroup/systemd/v1: avoid unnecessary freeze on Set. ([#3093](opencontainers/runc#3093))
Backport of #3067 to release-1.0. Cherry-picked with a trivial conflict due to missing b60e2ed.
Changelog entry