Merge pull request opencontainers#2159 from AkihiroSuda/cgroup2-mount…

…-in-userns cgroup2: allow mounting /sys/fs/cgroup in UserNS without unsharing CgroupNS
AkihiroSuda · Oct 29, 2019 · 03cf145 · 03cf145
2 parents f04fb99 + 9c81440
commit 03cf145
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
@@ -279,8 +279,14 @@ func mountCgroupV2(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
 	if err := os.MkdirAll(cgroupPath, 0755); err != nil {
 		return err
 	}
-
-	return unix.Mount(m.Source, cgroupPath, "cgroup2", uintptr(m.Flags), m.Data)
+	if err := unix.Mount(m.Source, cgroupPath, "cgroup2", uintptr(m.Flags), m.Data); err != nil {
+		// when we are in UserNS but CgroupNS is not unshared, we cannot mount cgroup2 (#2158)
+		if err == unix.EPERM || err == unix.EBUSY {
+			return unix.Mount("/sys/fs/cgroup", cgroupPath, "", uintptr(m.Flags)|unix.MS_BIND, "")
+		}
+		return err
+	}
+	return nil
 }
 
 func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns bool) error {