sandbox: Check cri-o and kubelet cgroup managers are same

We ensure that cri-o and kubelet are started with compatible cgroup managers. Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-09-05 18:00:14 -07:00 · 2017-09-05 18:00:14 -07:00 · cb1cad28db
commit cb1cad28db
parent 612dcc0267
3 changed files with 9 additions and 8 deletions
--- a/libkpod/sandbox/sandbox.go
+++ b/libkpod/sandbox/sandbox.go
@ -273,11 +273,6 @@ func (s *Sandbox) CgroupParent() string {
 	return s.cgroupParent
 }

-// UpdateCgroupParent updates the cgroup parent for a sandbox
-func (s *Sandbox) UpdateCgroupParent(parent string) {
-	s.cgroupParent = parent
-}
-
 // Privileged returns whether or not the containers in the sandbox are
 // privileged containers
 func (s *Sandbox) Privileged() bool {
--- a/server/container_create.go
+++ b/server/container_create.go
@ -490,7 +490,6 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 			cgPath = filepath.Join(parent, scopePrefix+"-"+containerID)
 		}
 		specgen.SetLinuxCgroupsPath(cgPath)
-		sb.UpdateCgroupParent(parent)

 		capabilities := linux.GetSecurityContext().GetCapabilities()
 		toCAPPrefixed := func(cap string) string {
--- a/server/sandbox_run.go
+++ b/server/sandbox_run.go
@ -331,14 +331,21 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 	cgroupParent := req.GetConfig().GetLinux().CgroupParent
 	if cgroupParent != "" {
 		if s.config.CgroupManager == oci.SystemdCgroupsManager {
-			cgPath, err := convertCgroupNameToSystemd(cgroupParent, false)
+			if len(cgroupParent) <= 6 || !strings.HasSuffix(path.Base(cgroupParent), ".slice") {
+				return nil, fmt.Errorf("cri-o configured with systemd cgroup manager, but did not receive slice as parent: %s", cgroupParent)
+			}
+			cgPath, err := convertCgroupFsNameToSystemd(cgroupParent)
 			if err != nil {
 				return nil, err
 			}
 			g.SetLinuxCgroupsPath(cgPath + ":" + "crio" + ":" + id)
 			cgroupParent = cgPath
 		} else {
-			g.SetLinuxCgroupsPath(cgroupParent + "/" + id)
+			if strings.HasSuffix(path.Base(cgroupParent), ".slice") {
+				return nil, fmt.Errorf("cri-o configured with cgroupfs cgroup manager, but received systemd slice as parent: %s", cgroupParent)
+			}
+			cgPath := filepath.Join(cgroupParent, scopePrefix+"-"+id)
+			g.SetLinuxCgroupsPath(cgPath)
 		}
 	}