github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-13 15:14:08 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #10845 from DataDog/dind-subcgroup-fix

Browse Source 
Add process to init subcgroup when we're using dind with cgroups v2
This commit is contained in:
Fabiano Fidêncio 2025-02-14 18:12:24 +01:00 committed by GitHub
commit d5878437a4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 22 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/agent/rustjail/src/cgroups/fs/mod.rs
View File

@ -1170,6 +1170,23 @@ impl Manager {
}) })
} }
pub fn subcgroup(&self) -> &str {
// Check if we're in a Docker-in-Docker setup by verifying:
// 1. We're using cgroups v2 (which restricts direct process control)
// 2. An "init" subdirectory exists (used by DinD for process delegation)
let is_dind = cgroups::hierarchies::is_cgroup2_unified_mode()
&& cgroups::hierarchies::auto()
.root()
.join(&self.cpath)
.join("init")
.exists();
if is_dind {
"/init/"
} else {
"/"
}
}
fn get_paths_and_mounts( fn get_paths_and_mounts(
cpath: &str, cpath: &str,
) -> Result<(HashMap<String, String>, HashMap<String, String>)> { ) -> Result<(HashMap<String, String>, HashMap<String, String>)> {

7
src/agent/rustjail/src/cgroups/systemd/dbus_client.rs
View File

@ -19,7 +19,7 @@ pub trait SystemdInterface {
fn kill_unit(&self) -> Result<()>; fn kill_unit(&self) -> Result<()>;
fn freeze_unit(&self) -> Result<()>; fn freeze_unit(&self) -> Result<()>;
fn thaw_unit(&self) -> Result<()>; fn thaw_unit(&self) -> Result<()>;
fn add_process(&self, pid: i32) -> Result<()>; fn add_process(&self, pid: i32, subcgroup: &str) -> Result<()>;
fn get_version(&self) -> Result<String>; fn get_version(&self) -> Result<String>;
fn unit_exists(&self) -> Result<bool>; fn unit_exists(&self) -> Result<bool>;
} }
@ -151,11 +151,10 @@ impl SystemdInterface for DBusClient {
} }
} }
fn add_process(&self, pid: i32) -> Result<()> { fn add_process(&self, pid: i32, subcgroup: &str) -> Result<()> {
let proxy = self.build_proxy()?; let proxy = self.build_proxy()?;
proxy proxy
.attach_processes_to_unit(&self.unit_name, "/", &[pid as u32]) .attach_processes_to_unit(&self.unit_name, subcgroup, &[pid as u32])
.context(format!( .context(format!(
"failed to add process into unit {}", "failed to add process into unit {}",
self.unit_name self.unit_name

3
src/agent/rustjail/src/cgroups/systemd/manager.rs
View File

@ -41,7 +41,8 @@ pub struct Manager {
impl CgroupManager for Manager { impl CgroupManager for Manager {
fn apply(&self, pid: pid_t) -> Result<()> { fn apply(&self, pid: pid_t) -> Result<()> {
if self.dbus_client.unit_exists()? { if self.dbus_client.unit_exists()? {
self.dbus_client.add_process(pid)?; let subcgroup = self.fs_manager.subcgroup();
self.dbus_client.add_process(pid, subcgroup)?;
} else { } else {
self.dbus_client.start_unit( self.dbus_client.start_unit(
(pid as u32).try_into().unwrap(), (pid as u32).try_into().unwrap(),