Merge pull request #9125 from gkurz/fix-agent-cgroup-ns

agent: Run container workload in its own cgroup namespace (cgroup v2 guest only)
2025-09-17 14:58:16 +00:00 · 2024-02-23 10:40:17 +08:00
parent e342a9adc4 600b951afd
commit 89c76d7d8d
2 changed files with 10 additions and 5 deletions
--- a/src/agent/Cargo.lock
+++ b/src/agent/Cargo.lock
@@ -1365,6 +1365,7 @@ dependencies = [
 "once_cell",
 "rand",
 "safe-path",
+ "serde",
 "serde_json",
 "slog",
 "slog-scope",
@@ -2605,9 +2606,9 @@ dependencies = [

 [[package]]
 name = "serde"
-version = "1.0.137"
+version = "1.0.164"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "61ea8d54c77f8315140a05f4c7237403bf38b72704d031543aa1d16abbf517d1"
+checksum = "9e8c8cf938e98f769bc164923b06dce91cea1751522f46f8466461af04c9027d"
 dependencies = [
 "serde_derive",
 ]
@@ -2644,13 +2645,13 @@ checksum = "794e44574226fc701e3be5c651feb7939038fc67fb73f6f4dd5c4ba90fd3be70"

 [[package]]
 name = "serde_derive"
-version = "1.0.137"
+version = "1.0.164"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1f26faba0c3959972377d3b2d306ee9f71faee9714294e41bb777f83f88578be"
+checksum = "d9735b638ccc51c28bf6914d90a2e9725b377144fc612c49a611fddd1b631d68"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn 1.0.109",
+ "syn 2.0.16",
 ]

 [[package]]
--- a/src/agent/rustjail/src/container.rs
+++ b/src/agent/rustjail/src/container.rs
@@ -556,6 +556,10 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {

    sched::unshare(to_new & !CloneFlags::CLONE_NEWUSER)?;

+    if cgroups::hierarchies::is_cgroup2_unified_mode() {
+        sched::unshare(CloneFlags::CLONE_NEWCGROUP)?;
+    }
+
    if userns {
        bind_device = true;
    }