Multiple containers in the same cgroup

[kolyshkin]

It seems that crun has the same set of issues as https://github.com/opencontainers/runc/issues/3132

Using config.json with cgroupPath set:

# crun run -d s3
# crun run -d s4
# crun list
NAME PID       STATUS   BUNDLE PATH                            
s3   245092    running  /home/kir/git/runc/tst                 
s4   245107    running  /home/kir/git/runc/tst                 
# diff -u /proc/{245092,245107}/cgroup 
(same cgroup)
# crun pause s3
# crun list
NAME PID       STATUS   BUNDLE PATH                            
s3   245092    paused   /home/kir/git/runc/tst                 
s4   245107    paused   /home/kir/git/runc/tst                 
(both paused)
root@ubu2004:/home/kir/git/runc/tst# crun run -d s5
(hung)

Can we discuss it at https://github.com/opencontainers/runc/issues/3132 @giuseppe?

[kolyshkin]

So, for runc I am implementing these measures (see last commits in https://github.com/opencontainers/runc/pull/3131)

1. runc run/create: refuse non-empty cgroup
2. runc run/create: refuse cgroup if frozen
3. runc exec: refuse paused container

Item 3 is fixed in crun by https://github.com/containers/crun/pull/727.

Items 1 and 2 are somewhat harder to fix in crun in case systemd manager is used, as in this case cgroup path is only known after we put a process in a cgroup (see systemd_finalize), meaning it's not possible to do any cgroup checks before we already added init pid into it.

I think it's possible to change that (i.e. figure out the path beforehand, rather than get it from /proc/PID/cgroup after), but I'm not sure such change would be wecomed.

[cdoern]

@giuseppe I am looking to get into some crun code, you think this would be a good issue to pick up, or is this resolved?

[giuseppe]

honestly, I am not sure about addressing it. There could be valid use cases for running different containers in the same cgroup, even if it is a weird configuration.