From a1d41ace8eaedfe932261004dc414b4926f3509f Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Sun, 27 Oct 2019 23:09:41 +0900 Subject: [PATCH] cgroup2: allow mounting /sys/fs/cgroup in UserNS without unsharing CgroupNS Bind-mount /sys/fs/cgroup when we are in UserNS but CgroupNS is not unshared, because we cannot mount cgroup2. This behavior correspond to crun v0.10.2. Fix #2158 Signed-off-by: Akihiro Suda --- libcontainer/rootfs_linux.go | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go index 10888b499be..291021440a1 100644 --- a/libcontainer/rootfs_linux.go +++ b/libcontainer/rootfs_linux.go @@ -279,8 +279,14 @@ func mountCgroupV2(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b if err := os.MkdirAll(cgroupPath, 0755); err != nil { return err } - - return unix.Mount(m.Source, cgroupPath, "cgroup2", uintptr(m.Flags), m.Data) + if err := unix.Mount(m.Source, cgroupPath, "cgroup2", uintptr(m.Flags), m.Data); err != nil { + // when we are in UserNS but CgroupNS is not unshared, we cannot mount cgroup2 (#2158) + if err == unix.EPERM || err == unix.EBUSY { + return unix.Mount("/sys/fs/cgroup", cgroupPath, "", uintptr(m.Flags)|unix.MS_BIND, "") + } + return err + } + return nil } func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns bool) error {