Preserve cgroup mount options for privileged containers#12952
Open
chrishenzie wants to merge 1 commit intocontainerd:mainfrom
Open
Preserve cgroup mount options for privileged containers#12952chrishenzie wants to merge 1 commit intocontainerd:mainfrom
chrishenzie wants to merge 1 commit intocontainerd:mainfrom
Conversation
chrishenzie
commented
Feb 28, 2026
4011ff3 to
2afa220
Compare
Privileged containers don't have a cgroup namespace, so by default they run in the host's cgroup namespace. When mounting cgroup2 inside a privileged container, applying a different set of mount options can inadvertently alter the host's shared cgroup2 VFS superblock mount options. Because the container's mount options were previously hardcoded, any additional host mount options like `nsdelegate` or `memory_recursiveprot` would be accidentally stripped from the host. Fixes this issue by reading the host's `/sys/fs/cgroup` mount options during container creation and explicitly including them if the container is privileged. An integration test is also included to verify that the host's cgroup mount options remain unchanged before and after running a privileged container. Additionally updates the Vagrantfile and cri-integration script to forward the `RUNC_FLAVOR` environment variable to conditionally skip the integration test for `crun` until support is added for `nsdelegate`. Signed-off-by: Chris Henzie <[email protected]> Assisted-by: gemini-cli
2afa220 to
0debea3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Privileged containers don't have a cgroup namespace, so by default they run in the host's cgroup namespace.
containerd/internal/cri/server/container_create.go
Lines 933 to 939 in d1d9d07
When mounting cgroup2 inside a privileged container, applying a different set of mount options can inadvertently alter the host's shared cgroup2 VFS superblock mount options. Because the container's mount options were previously hardcoded, any additional host mount options like
nsdelegateormemory_recursiveprotwould be accidentally stripped from the host.Fixes this issue by reading the host's
/sys/fs/cgroupmount options during container creation and explicitly including them if the container is privileged.An integration test is also included to verify that the host's cgroup mount options remain unchanged before and after running a privileged container.
Additionally updates the Vagrantfile and cri-integration script to forward the
RUNC_FLAVORenvironment variable to conditionally skip the integration test forcrununtil support is added fornsdelegate.Assisted-by: gemini-cli
@samuelkarp @Divya063