gvisor: Bug: disable cgroup controller net_cls and net_prio can't use runsc
Description
podman using runsc and disabled cgroup controller net_cls and net_prio,runsc not working
expected behavior: runsc can do not use cgroup controller net_cls and net_prio continue run
observed behavior: runsc output Error: OCI runtime error: creating container: configuring cgroup: mkdir /sys/fs/cgroup/net_cls/libpod_parent: read-only file system and exit
Steps to reproduce
-
Kernel command-line parameters add
cgroup_no_v1=net_cls,net_prioand reboot -
Add a text to the [engine.runtimes] section of
/etc/containers/containers.conffor podman to recognize runsc -
run
# podman --cgroup-manager cgroupfs --runtime runsc run --rm docker.io/library/hello-world
a text:
runsc = [
"/usr/bin/runsc",
"/usr/sbin/runsc",
"/usr/local/bin/runsc",
"/usr/local/sbin/runsc",
"/sbin/runsc",
"/bin/scrun",
"/run/current-system/sw/bin/runsc",
]
Environment
Please include the following details of your environment:
runsc -version
runsc version release-20210322.0
spec: 1.0.2
podman version
Version: 3.1.1
API Version: 3.1.1
Go Version: go1.16.3
Git Commit: 713995bfc325250fefe2750e81d98eb1c65acaec
Built: Sat Apr 17 21:07:42 2021
OS/Arch: linux/amd64
uname -a
Linux arch 5.11.14-arch1-1 #1 SMP PREEMPT Wed, 14 Apr 2021 12:06:34 +0000 x86_64 GNU/Linux
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 15 (5 by maintainers)
Commits related to this issue
- Fixes to runsc cgroups When loading cgroups for another process, `/proc/self` was used in a few places, causing the end state to be a mix of the process and self. This is now fixes to always use the ... — committed to google/gvisor by fvoznika 3 years ago
- Fixes to runsc cgroups When loading cgroups for another process, `/proc/self` was used in a few places, causing the end state to be a mix of the process and self. This is now fixes to always use the ... — committed to google/gvisor by fvoznika 3 years ago
- Fixes to runsc cgroups When loading cgroups for another process, `/proc/self` was used in a few places, causing the end state to be a mix of the process and self. This is now fixes to always use the ... — committed to google/gvisor by fvoznika 3 years ago
- Fixes to runsc cgroups When loading cgroups for another process, `/proc/self` was used in a few places, causing the end state to be a mix of the process and self. This is now fixes to always use the ... — committed to google/gvisor by fvoznika 3 years ago
- Skip readonly controllers Some system have controller directories created, but they are read-only. Handle that case and skip optional controllers. Updates #5887 PiperOrigin-RevId: 411692184 — committed to google/gvisor by fvoznika 3 years ago
- Skip readonly controllers Some system have controller directories created, but they are read-only. Handle that case and skip optional controllers. Closes #5887 PiperOrigin-RevId: 411692184 — committed to google/gvisor by fvoznika 3 years ago
- Skip readonly controllers Some system have controller directories created, but they are read-only. Handle that case and skip optional controllers. Closes #5887 PiperOrigin-RevId: 411692184 — committed to google/gvisor by fvoznika 3 years ago
- Skip readonly controllers Some system have controller directories created, but they are read-only. Handle that case and skip optional controllers. Closes #5887 PiperOrigin-RevId: 411692184 — committed to google/gvisor by fvoznika 3 years ago
- Skip readonly controllers Some system have controller directories created, but they are read-only. Handle that case and skip optional controllers. Closes #5887 PiperOrigin-RevId: 411907208 — committed to google/gvisor by fvoznika 3 years ago
@unknowndevQwQ Your attached log shows the same error and I also an unable to get podman working with runsc in general
It took me a bit longer to understand @ianlewis’s comment, but can confirm this works:
After configuring podman to use cgroupfs via containers.conf and using cgroups v1,