Add validation for CGroup parents. Pass CGroups path into runc

Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
2025-10-17 19:24:04 +08:00 · 2018-03-15 22:42:04 -04:00
parent 6756af386f
commit 15ca5f2687
3 changed files with 34 additions and 4 deletions
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@ -3,6 +3,7 @@ package libpod
 import (
 	"context"
 	"os"
+	"path"
 	"path/filepath"
 	"strings"
 	"time"
@ -60,6 +61,24 @@ func (r *Runtime) NewContainer(ctx context.Context, rSpec *spec.Spec, options ..
 		ctr.config.Name = name
 	}

+	// Check CGroup parent sanity, and set it if it was not set
+	switch r.config.CgroupManager {
+	case CgroupfsCgroupsManager:
+		if ctr.config.CgroupParent == "" {
+			ctr.config.CgroupParent = CgroupfsDefaultCgroupParent
+		} else if strings.HasSuffix(path.Base(ctr.config.CgroupParent), ".slice") {
+			return nil, errors.Wrapf(ErrInvalidArg, "systemd slice received as cgroup parent when using cgroupfs")
+		}
+	case SystemdCgroupsManager:
+		if ctr.config.CgroupParent == "" {
+			ctr.config.CgroupParent = SystemdDefaultCgroupParent
+		} else if len(ctr.config.CgroupParent) < 6 || !strings.HasSuffix(path.Base(ctr.config.CgroupParent), ".slice") {
+			return nil, errors.Wrapf(ErrInvalidArg, "did not receive systemd slice as cgroup parent when using systemd to manage cgroups")
+		}
+	default:
+		return nil, errors.Wrapf(ErrInvalidArg, "unsupported CGroup manager: %s - cannot validate cgroup parent", r.config.CgroupManager)
+	}
+
 	// Set up storage for the container
 	if err := ctr.setupStorage(ctx); err != nil {
 		return nil, err