libct/cg/sd: ignore UnitExists only for Apply(-1)

kolyshkin · kolyshkin · commit c23ac0d852c9 · 2023-03-30T19:55:39.000-07:00
Commit 94efc45 ("Ignore error when starting transient unit that already exists" modified the code handling errors from startUnit to ignore UnitExists error. Apparently it was done so that kubelet can create the same pod slice over and over without hitting an error (see [1]). While it works for a pod slice to ensure it exists, it is a gross bug to ignore UnitExists when creating a container. In this case, the container init PID won't be added to the systemd unit (and to the required cgroup), and as a result the container will successfully run in a current user cgroup, without any cgroup limits applied. So, fix the code to only ignore UnitExists if we're not adding a process to the systemd unit. This way, kubelet will keep working as is, but runc will refuse to create containers which are not placed into a requested cgroup. [1] opencontainers/runc#1124 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
diff --git a/libcontainer/cgroups/systemd/common.go b/libcontainer/cgroups/systemd/common.go
@@ -124,7 +124,7 @@ func isUnitExists(err error) bool {
 	return isDbusError(err, "org.freedesktop.systemd1.UnitExists")
 }
 
-func startUnit(cm *dbusConnManager, unitName string, properties []systemdDbus.Property) error {
+func startUnit(cm *dbusConnManager, unitName string, properties []systemdDbus.Property, ignoreExist bool) error {
 	statusChan := make(chan string, 1)
 	err := cm.retryOnDisconnect(func(c *systemdDbus.Conn) error {
 		_, err := c.StartTransientUnitContext(context.TODO(), unitName, "replace", properties, statusChan)
@@ -134,7 +134,13 @@ func startUnit(cm *dbusConnManager, unitName string, properties []systemdDbus.Pr
 		if !isUnitExists(err) {
 			return err
 		}
-		return nil
+		if ignoreExist {
+			// TODO: remove this hack.
+			// This is kubelet making sure a slice exists (see
+			// https://github.com/opencontainers/runc/pull/1124).
+			return nil
+		}
+		return err
 	}
 
 	timeout := time.NewTimer(30 * time.Second)
diff --git a/libcontainer/cgroups/systemd/v1.go b/libcontainer/cgroups/systemd/v1.go
@@ -204,7 +204,7 @@ func (m *LegacyManager) Apply(pid int) error {
 
 	properties = append(properties, c.SystemdProps...)
 
-	if err := startUnit(m.dbus, unitName, properties); err != nil {
+	if err := startUnit(m.dbus, unitName, properties, pid == -1); err != nil {
 		return err
 	}
 
diff --git a/libcontainer/cgroups/systemd/v2.go b/libcontainer/cgroups/systemd/v2.go
@@ -291,7 +291,7 @@ func (m *UnifiedManager) Apply(pid int) error {
 
 	properties = append(properties, c.SystemdProps...)
 
-	if err := startUnit(m.dbus, unitName, properties); err != nil {
+	if err := startUnit(m.dbus, unitName, properties, pid == -1); err != nil {
 		return fmt.Errorf("unable to start unit %q (properties %+v): %w", unitName, properties, err)
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -204,7 +204,7 @@ func (m *LegacyManager) Apply(pid int) error {`
`204`	`204`
`205`	`205`	`properties = append(properties, c.SystemdProps...)`
`206`	`206`
`207`		`- if err := startUnit(m.dbus, unitName, properties); err != nil {`
	`207`	`+ if err := startUnit(m.dbus, unitName, properties, pid == -1); err != nil {`
`208`	`208`	`return err`
`209`	`209`	`}`
`210`	`210`
Original file line number	Diff line number	Diff line change
`@@ -291,7 +291,7 @@ func (m *UnifiedManager) Apply(pid int) error {`
`291`	`291`
`292`	`292`	`properties = append(properties, c.SystemdProps...)`
`293`	`293`
`294`		`- if err := startUnit(m.dbus, unitName, properties); err != nil {`
	`294`	`+ if err := startUnit(m.dbus, unitName, properties, pid == -1); err != nil {`
`295`	`295`	`return fmt.Errorf("unable to start unit %q (properties %+v): %w", unitName, properties, err)`
`296`	`296`	`}`
`297`	`297`