BACKPORT: Fix setup cgroup before prestart hook

Upstream reference: opencontainers/runc#1239 Fixes: stefwalter/oci-kvm-hook#3 * User Case: User could use prestart hook to add block devices to container. so the hook should have a way to set the permissions of the devices. Just move cgroup config operation before prestart hook will work. Signed-off-by: Antonio Murdaca <[email protected]>
projectatomic · Jul 17, 2017 · 79db05f · 79db05f
1 parent 2ade59f
commit 79db05f
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
@@ -287,9 +287,6 @@ loop:
 		}
 		switch procSync.Type {
 		case procReady:
-			if err := p.manager.Set(p.config.Config); err != nil {
-				return newSystemErrorWithCause(err, "setting cgroup config for ready process")
-			}
 			// set oom_score_adj
 			if err := setOomScoreAdj(p.config.Config.OomScoreAdj, p.pid()); err != nil {
 				return newSystemErrorWithCause(err, "setting oom score for ready process")
@@ -301,6 +298,10 @@ loop:
 			}
 			// call prestart hooks
 			if !p.config.Config.Namespaces.Contains(configs.NEWNS) {
+				// Setup cgroup before prestart hook, so that the prestart hook could apply cgroup permissions.
+				if err := p.manager.Set(p.config.Config); err != nil {
+					return newSystemErrorWithCause(err, "setting cgroup config for ready process")
+				}
 				if p.config.Config.Hooks != nil {
 					s := configs.HookState{
 						Version: p.container.config.Version,
@@ -321,6 +322,10 @@ loop:
 			}
 			sentRun = true
 		case procHooks:
+			// Setup cgroup before prestart hook, so that the prestart hook could apply cgroup permissions.
+			if err := p.manager.Set(p.config.Config); err != nil {
+				return newSystemErrorWithCause(err, "setting cgroup config for procHooks process")
+			}
 			if p.config.Config.Hooks != nil {
 				s := configs.HookState{
 					Version:    p.container.config.Version,