1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Fri, 25 Jul 2025 17:34:35 -0700
Subject: libct: use manager.AddPid to add exec to cgroup
The main benefit here is when we are using a systemd cgroup driver,
we actually ask systemd to add a PID, rather than doing it ourselves.
This way, we can add rootless exec PID to a cgroup.
This requires newer opencontainers/cgroups and coreos/go-systemd.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
go.mod | 2 +-
libcontainer/container_linux_test.go | 4 ++++
tests/integration/exec.bats | 12 ++++++------
3 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/go.mod b/go.mod
index c369e27..9243168 100644
--- a/go.mod
+++ b/go.mod
@@ -14,7 +14,7 @@ require (
github.com/moby/sys/user v0.3.0
github.com/moby/sys/userns v0.1.0
github.com/mrunalp/fileutils v0.5.1
- github.com/opencontainers/cgroups v0.0.4
+ github.com/opencontainers/cgroups v0.0.5
github.com/opencontainers/runtime-spec v1.2.1
github.com/opencontainers/selinux v1.12.0
github.com/seccomp/libseccomp-golang v0.10.0
diff --git a/libcontainer/container_linux_test.go b/libcontainer/container_linux_test.go
index e6bdd86..0d0dc44 100644
--- a/libcontainer/container_linux_test.go
+++ b/libcontainer/container_linux_test.go
@@ -32,6 +32,10 @@ func (m *mockCgroupManager) Apply(pid int) error {
return nil
}
+func (m *mockCgroupManager) AddPid(_ string, _ int) error {
+ return nil
+}
+
func (m *mockCgroupManager) Set(_ *cgroups.Resources) error {
return nil
}
diff --git a/tests/integration/exec.bats b/tests/integration/exec.bats
index 43fe4c3..35e1cad 100644
--- a/tests/integration/exec.bats
+++ b/tests/integration/exec.bats
@@ -226,17 +226,17 @@ function check_exec_debug() {
# Check we can't join parent cgroup.
runc exec --cgroup ".." test_busybox cat /proc/self/cgroup
[ "$status" -ne 0 ]
- [[ "$output" == *" .. is not a sub cgroup path"* ]]
+ [[ "$output" == *"bad sub cgroup path"* ]]
# Check we can't join non-existing subcgroup.
runc exec --cgroup nonexistent test_busybox cat /proc/self/cgroup
[ "$status" -ne 0 ]
- [[ "$output" == *" adding pid "*"/nonexistent/cgroup.procs: no such file "* ]]
+ [[ "$output" == *" adding pid "*"o such file or directory"* ]]
# Check we can't join non-existing subcgroup (for a particular controller).
runc exec --cgroup cpu:nonexistent test_busybox cat /proc/self/cgroup
[ "$status" -ne 0 ]
- [[ "$output" == *" adding pid "*"/nonexistent/cgroup.procs: no such file "* ]]
+ [[ "$output" == *" adding pid "*"o such file or directory"* ]]
# Check we can't specify non-existent controller.
runc exec --cgroup whaaat:/ test_busybox true
@@ -277,12 +277,12 @@ function check_exec_debug() {
# Check we can't join parent cgroup.
runc exec --cgroup ".." test_busybox cat /proc/self/cgroup
[ "$status" -ne 0 ]
- [[ "$output" == *" .. is not a sub cgroup path"* ]]
+ [[ "$output" == *"bad sub cgroup path"* ]]
# Check we can't join non-existing subcgroup.
runc exec --cgroup nonexistent test_busybox cat /proc/self/cgroup
[ "$status" -ne 0 ]
- [[ "$output" == *" adding pid "*"/nonexistent/cgroup.procs: no such file "* ]]
+ [[ "$output" == *" adding pid "*"o such file or directory"* ]]
# Check we can join top-level cgroup (implicit).
runc exec test_busybox grep '^0::/$' /proc/self/cgroup
@@ -318,7 +318,7 @@ function check_exec_debug() {
# Check that --cgroup / disables the init cgroup fallback.
runc exec --cgroup / test_busybox true
[ "$status" -ne 0 ]
- [[ "$output" == *" adding pid "*" to cgroups"*"/cgroup.procs: device or resource busy"* ]]
+ [[ "$output" == *" adding pid "*" to cgroups"*"evice or resource busy"* ]]
# Check that explicit --cgroup foobar works.
runc exec --cgroup foobar test_busybox grep '^0::/foobar$' /proc/self/cgroup
|
