From 91227e3073db19c00becb02b640b408e015f9f77 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Fri, 29 Sep 2023 20:31:22 +0900 Subject: [PATCH] Limit OOMScoreAdj when running in UserNS ("Rootful-in-Rootless") Fix issue 46563 "Rootful-in-Rootless dind doesn't work since systemd v250 (due to oom score adj)" Signed-off-by: Akihiro Suda (cherry picked from commit ad877271f32573aefb2b6abdca67b8cc692c980e) > Conflicts: > daemon/oci_linux.go Signed-off-by: Akihiro Suda --- daemon/oci_linux.go | 11 +++++++++++ pkg/rootless/specconv/specconv_linux.go | 14 ++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go index 827ade009f..3ab7fc5785 100644 --- a/daemon/oci_linux.go +++ b/daemon/oci_linux.go @@ -114,6 +114,15 @@ func WithRootless(daemon *Daemon) coci.SpecOpts { } } +// withRootfulInRootless is used for "rootful-in-rootless" dind; +// the daemon is running in UserNS but has no access to RootlessKit API socket, host filesystem, etc. +func withRootfulInRootless(daemon *Daemon, daemonCfg *dconfig.Config) coci.SpecOpts { + return func(_ context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error { + specconv.ToRootfulInRootless(s) + return nil + } +} + // WithOOMScore sets the oom score func WithOOMScore(score *int) coci.SpecOpts { return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error { @@ -1094,6 +1103,8 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e } if daemon.configStore.Rootless { opts = append(opts, WithRootless(daemon)) + } else if userns.RunningInUserNS() { + opts = append(opts, withRootfulInRootless(daemon, daemon.configStore)) } return &s, coci.ApplyOpts(context.Background(), nil, &containers.Container{ ID: c.ID, diff --git a/pkg/rootless/specconv/specconv_linux.go b/pkg/rootless/specconv/specconv_linux.go index 06f55ef13d..4cf54d19a8 100644 --- a/pkg/rootless/specconv/specconv_linux.go +++ b/pkg/rootless/specconv/specconv_linux.go @@ -12,6 +12,20 @@ import ( "github.com/sirupsen/logrus" ) +// ToRootfulInRootless is used for "rootful-in-rootless" dind; +// the daemon is running in UserNS but has no access to RootlessKit API socket, host filesystem, etc. +// +// This fuction does: +// * Fix up OOMScoreAdj (needed since systemd v250: https://github.com/moby/moby/issues/46563) +func ToRootfulInRootless(spec *specs.Spec) { + if spec.Process == nil || spec.Process.OOMScoreAdj == nil { + return + } + if currentOOMScoreAdj := getCurrentOOMScoreAdj(); *spec.Process.OOMScoreAdj < currentOOMScoreAdj { + *spec.Process.OOMScoreAdj = currentOOMScoreAdj + } +} + // ToRootless converts spec to be compatible with "rootless" runc. // * Remove non-supported cgroups // * Fix up OOMScoreAdj