diff --git a/server/container_create.go b/server/container_create.go index 9d00b974206..c3c951e6cb0 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -399,15 +399,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa return nil } -func hostNetwork(containerConfig *types.ContainerConfig) bool { - securityContext := containerConfig.Linux.SecurityContext - if securityContext == nil || securityContext.NamespaceOptions == nil { - return false - } - - return securityContext.NamespaceOptions.Network == types.NamespaceModeNODE -} - // CreateContainer creates a new container in specified PodSandbox func (s *Server) CreateContainer(ctx context.Context, req *types.CreateContainerRequest) (res *types.CreateContainerResponse, retErr error) { log.Infof(ctx, "Creating container: %s", translateLabelsToDescription(req.Config.Labels)) diff --git a/server/container_create_linux.go b/server/container_create_linux.go index ec2679f2f13..ce83efeba8d 100644 --- a/server/container_create_linux.go +++ b/server/container_create_linux.go @@ -434,19 +434,24 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai } // If the sandbox is configured to run in the host network, do not create a new network namespace - if sb.HostNetwork() { + if hostNet { if err := specgen.RemoveLinuxNamespace(string(rspec.NetworkNamespace)); err != nil { return nil, err } if !isInCRIMounts("/sys", containerConfig.Mounts) { - specgen.RemoveMount("/sys") ctr.SpecAddMount(rspec.Mount{ Destination: "/sys", Type: "sysfs", Source: "sysfs", Options: []string{"nosuid", "noexec", "nodev", "ro"}, }) + ctr.SpecAddMount(rspec.Mount{ + Destination: "/sys/fs/cgroup", + Type: "cgroup", + Source: "cgroup", + Options: []string{"nosuid", "noexec", "nodev", "relatime", "ro"}, + }) } } @@ -525,7 +530,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai }) } - if !isInCRIMounts("/etc/hosts", containerConfig.Mounts) && hostNetwork(containerConfig) { + if !isInCRIMounts("/etc/hosts", containerConfig.Mounts) && hostNet { // Only bind mount for host netns and when CRI does not give us any hosts file ctr.SpecAddMount(rspec.Mount{ Destination: "/etc/hosts",