Merge pull request #17736 from giuseppe/no-private-cgroupns-systemd

cgroupns: private cgroupns on cgroupv1 breaks --systemd

libpod/container_internal_linux.go

@@ -242,9 +242,6 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro
 		return err
 	}
 
-	if unified {
-		g.RemoveMount("/sys/fs/cgroup")
-
 	hasCgroupNs := false
 	for _, ns := range c.config.Spec.Linux.Namespaces {
 		if ns.Type == spec.CgroupNamespace {
@@ -253,6 +250,9 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro
 		}
 	}
 
+	if unified {
+		g.RemoveMount("/sys/fs/cgroup")
+
 		var systemdMnt spec.Mount
 		if hasCgroupNs {
 			systemdMnt = spec.Mount{
@@ -271,9 +271,14 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro
 		}
 		g.AddMount(systemdMnt)
 	} else {
+		hasSystemdMount := MountExists(mounts, "/sys/fs/cgroup/systemd")
+		if hasCgroupNs && !hasSystemdMount {
+			return errors.New("cgroup namespace is not supported with cgroup v1 and systemd mode")
+		}
 		mountOptions := []string{"bind", "rprivate"}
-		skipMount := false
 
+		if !hasSystemdMount {
+			skipMount := hasSystemdMount
 			var statfs unix.Statfs_t
 			if err := unix.Statfs("/sys/fs/cgroup/systemd", &statfs); err != nil {
 				if errors.Is(err, os.ErrNotExist) {
@@ -307,6 +312,7 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro
 				g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent")
 			}
 		}
+	}
 
 	return nil
 }
@@ -446,7 +452,7 @@ func (c *Container) addNetworkNamespace(g *generate.Generator) error {
 func (c *Container) addSystemdMounts(g *generate.Generator) error {
 	if c.Systemd() {
 		if err := c.setupSystemd(g.Mounts(), *g); err != nil {
-			return fmt.Errorf("adding systemd-specific mounts: %w", err)
+			return err
 		}
 	}
 	return nil

test/system/250-systemd.bats

@@ -280,6 +280,13 @@ LISTEN_FDNAMES=listen_fdnames" | sort)
     is "${container_uuid}" "${output:0:32}" "UUID should be first 32 chars of Container id"
 }
 
+@test "podman --systemd fails on cgroup v1 with a private cgroupns" {
+    skip_if_cgroupsv2
+
+    run_podman 126 run --systemd=always --cgroupns=private $IMAGE true
+    assert "$output" =~ ".*cgroup namespace is not supported with cgroup v1 and systemd mode"
+}
+
 # https://github.com/containers/podman/issues/13153
 @test "podman rootless-netns slirp4netns process should be in different cgroup" {
     is_rootless || skip "only meaningful for rootless"

test/system/helpers.bash

@@ -497,6 +497,15 @@ function skip_if_cgroupsv1() {
     fi
 }
 
+#######################
+#  skip_if_cgroupsv2  #  ...with an optional message
+#######################
+function skip_if_cgroupsv2() {
+    if is_cgroupsv2; then
+        skip "${1:-test requires cgroupsv1}"
+    fi
+}
+
 ######################
 #  skip_if_rootless_cgroupsv1  #  ...with an optional message
 ######################