Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oci: cgroupsv2 namespace / mount handling #3542

Merged
merged 1 commit into from
Feb 21, 2025
Merged

oci: cgroupsv2 namespace / mount handling #3542

merged 1 commit into from
Feb 21, 2025
+94 −16

Conversation

dtrudg
Copy link
Member

@dtrudg dtrudg commented Feb 21, 2025

Description of the Pull Request (PR):

In OCI-Mode, try to create a cgroup for the container even when no resource limits have been requested.

On a cgroups v2 system, with functioning cgroups management, create a cgroups namespace for OCI-Mode containers, and perform an explicit /sys/fs/cgroups mount. The mount is ro by default, or rw when --keep-privs is specified.

This fixes issues with nested container execution in OCI-Mode, and improves compatibility with other OCI runtimes.

Verified manually on cgroups v2 (Fedora/Ubuntu 24.04) and checked for regression on cgroups v1 (RHEL8).

This fixes or addresses the following GitHub issues:

Before submitting a PR, make sure you have done the following:

@dtrudg dtrudg added this to the SingularityCE 4.3.0 milestone Feb 21, 2025
@dtrudg dtrudg self-assigned this Feb 21, 2025
@dtrudg
oci: cgroupsv2 namespace / mount handling
e47a81c 
In OCI-Mode, try to create a cgroup for the container even when no
resource limits have been requested.

On a cgroups v2 system, with functioning cgroups management, create a
cgroups namespace for OCI-Mode containers, and perform an explicit
`/sys/fs/cgroups` mount. The mount is `ro` by default, or `rw` when
`--keep-privs` is specified.

This fixes issues with nested container execution in OCI-Mode, and
improves compatibility with other OCI runtimes.

Fixes sylabs#3538
@dtrudg dtrudg marked this pull request as ready for review February 21, 2025 15:52
@dtrudg dtrudg merged commit 2d0c131 into sylabs:main Feb 21, 2025
1 check passed
@dtrudg dtrudg deleted the issue-3538 branch February 21, 2025 17:09
@DrDaveD DrDaveD mentioned this pull request Feb 21, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wobito wobito wobito approved these changes

Assignees

@dtrudg dtrudg

Labels
None yet
Projects
None yet
Milestone
SingularityCE 4.3.0
Development

Successfully merging this pull request may close these issues.

singularity-in-singularity OCI mode nesting requires proper /sys/fs/cgroup mount
2 participants
@dtrudg @wobito