jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Do not set devices cgroup entries if in a user namespace 

When in a non-initial user namespace you cannot update the devices
cgroup whitelist (or blacklist).  The kernel won't allow it.  So
detect that case and don't try.

This is a step to being able to run docker/runc containers inside a user
namespaced container.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This commit is contained in:
Serge Hallyn 2016-02-16 16:43:42 -08:00
parent ce72f86a2b
commit 655f8ea808
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
libcontainer/cgroups/fs/devices.go
View File

@ -5,6 +5,7 @@ package fs
import (
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/system"
)
type DevicesGroup struct {
@ -25,6 +26,10 @@ func (s *DevicesGroup) Apply(d *cgroupData) error {
}
func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {
if system.RunningInUserNS() {
return nil
}
devices := cgroup.Resources.Devices
if len(devices) > 0 {
for _, dev := range devices {