mirror of
https://github.com/containers/podman.git
synced 2025-06-02 02:26:52 +08:00
b8514ca6f3
change the default on cgroups v2 and create a new cgroup namespace. When a cgroup namespace is used, processes inside the namespace are only able to see cgroup paths relative to the cgroup namespace root and not have full visibility on all the cgroups present on the system. The previous behaviour is maintained on a cgroups v1 host, where a cgroup namespace is not created by default. Closes: https://github.com/containers/libpod/issues/4363 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
74 lines
1.9 KiB
Go
74 lines
1.9 KiB
Go
// +build !remoteclient
|
|
|
|
package integration
|
|
|
|
import (
|
|
"os"
|
|
|
|
. "github.com/containers/libpod/test/utils"
|
|
. "github.com/onsi/ginkgo"
|
|
. "github.com/onsi/gomega"
|
|
)
|
|
|
|
var _ = Describe("Podman run with --cgroup-parent", func() {
|
|
var (
|
|
tempdir string
|
|
err error
|
|
podmanTest *PodmanTestIntegration
|
|
)
|
|
|
|
BeforeEach(func() {
|
|
SkipIfRootless()
|
|
tempdir, err = CreateTempDirInTempDir()
|
|
if err != nil {
|
|
os.Exit(1)
|
|
}
|
|
podmanTest = PodmanTestCreate(tempdir)
|
|
podmanTest.Setup()
|
|
podmanTest.SeedImages()
|
|
})
|
|
|
|
AfterEach(func() {
|
|
podmanTest.Cleanup()
|
|
f := CurrentGinkgoTestDescription()
|
|
processTestResult(f)
|
|
|
|
})
|
|
|
|
Specify("valid --cgroup-parent using cgroupfs", func() {
|
|
if !Containerized() {
|
|
Skip("Must be containerized to run this test.")
|
|
}
|
|
cgroup := "/zzz"
|
|
run := podmanTest.Podman([]string{"run", "--cgroupns=host", "--cgroup-parent", cgroup, fedoraMinimal, "cat", "/proc/self/cgroup"})
|
|
run.WaitWithDefaultTimeout()
|
|
Expect(run.ExitCode()).To(Equal(0))
|
|
ok, _ := run.GrepString(cgroup)
|
|
Expect(ok).To(BeTrue())
|
|
})
|
|
|
|
Specify("no --cgroup-parent", func() {
|
|
cgroup := "/libpod_parent"
|
|
if !Containerized() && podmanTest.CgroupManager != "cgroupfs" {
|
|
cgroup = "/machine.slice"
|
|
}
|
|
run := podmanTest.Podman([]string{"run", "--cgroupns=host", fedoraMinimal, "cat", "/proc/self/cgroup"})
|
|
run.WaitWithDefaultTimeout()
|
|
Expect(run.ExitCode()).To(Equal(0))
|
|
ok, _ := run.GrepString(cgroup)
|
|
Expect(ok).To(BeTrue())
|
|
})
|
|
|
|
Specify("valid --cgroup-parent using slice", func() {
|
|
if Containerized() || podmanTest.CgroupManager == "cgroupfs" {
|
|
Skip("Requires Systemd cgroup manager support")
|
|
}
|
|
cgroup := "aaaa.slice"
|
|
run := podmanTest.Podman([]string{"run", "--cgroupns=host", "--cgroup-parent", cgroup, fedoraMinimal, "cat", "/proc/1/cgroup"})
|
|
run.WaitWithDefaultTimeout()
|
|
Expect(run.ExitCode()).To(Equal(0))
|
|
ok, _ := run.GrepString(cgroup)
|
|
Expect(ok).To(BeTrue())
|
|
})
|
|
})
|