Merge pull request #20086 from giuseppe/fix-mount-cgroupfs-without-netns

specgen, rootless: fix mount of cgroup without a netns
2025-06-24 03:08:13 +08:00 · 2023-09-22 05:08:12 -04:00
parent 08d05b9b0b 8d3010d06b
commit da6ebeb511
2 changed files with 7 additions and 2 deletions
--- a/pkg/specgen/generate/oci_linux.go
+++ b/pkg/specgen/generate/oci_linux.go
@ -125,11 +125,12 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 		}
 		g.AddMount(sysMnt)
 		g.RemoveMount("/sys/fs/cgroup")
+
 		sysFsCgroupMnt := spec.Mount{
 			Destination: "/sys/fs/cgroup",
-			Type:        define.TypeBind,
+			Type:        "cgroup",
 			Source:      "/sys/fs/cgroup",
-			Options:     []string{"rprivate", "nosuid", "noexec", "nodev", r, "rbind"},
+			Options:     []string{"rprivate", "nosuid", "noexec", "nodev", r},
 		}
 		g.AddMount(sysFsCgroupMnt)
 		if !s.Privileged && isRootless {
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@ -1167,6 +1167,10 @@ EOF
        # verify that the last /sys/fs/cgroup mount is read-only
        run_podman run --net=host --cgroupns=host --rm $IMAGE sh -c "grep ' / /sys/fs/cgroup ' /proc/self/mountinfo | tail -n 1"
        assert "$output" =~ "/sys/fs/cgroup ro"
+
+        # verify that it works also with a cgroupns
+        run_podman run --net=host --cgroupns=private --rm $IMAGE sh -c "grep ' / /sys/fs/cgroup ' /proc/self/mountinfo | tail -n 1"
+        assert "$output" =~ "/sys/fs/cgroup ro"
    fi
 }