From 600a8bd6d65d9f687310e6f3030c78b4fe946309 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 22 Feb 2022 12:41:09 +1000 Subject: [PATCH] cgroup ownership: clarify that some files may not exist Not all files listed in /sys/kernel/cgroup/delegate necessarily exist in all cgroups. For example, see this issue and PR: - https://github.com/opencontainers/runc/issues/3387 - https://github.com/opencontainers/runc/pull/3389 Expand the cgroup ownership semantics to ensure that runtime authors are aware of this possibility and implementations handle it gracefully. Signed-off-by: Fraser Tweedale --- config-linux.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/config-linux.md b/config-linux.md index c8e02a29..142d3359 100644 --- a/config-linux.md +++ b/config-linux.md @@ -236,10 +236,14 @@ SHOULD NOT change the cgroup ownership. A runtime that changes the cgroup ownership SHOULD only change the ownership of the container's cgroup directory and files within that -directory that are listed in `/sys/kernel/cgroup/delegate` (see -`cgroups(7)` for details about this file). If the -`/sys/kernel/cgroup/delegate` file does not exist, the runtime MUST -fall back to using the following list of files: +directory that are listed in `/sys/kernel/cgroup/delegate`. See +`cgroups(7)` for details about this file. Note that not all files +listed in `/sys/kernel/cgroup/delegate` necessarily exist in every +cgroup. Runtimes MUST NOT fail in this scenario, and SHOULD change +the ownership of the listed files that do exist in the cgroup. + +If the `/sys/kernel/cgroup/delegate` file does not exist, the +runtime MUST fall back to using the following list of files: ``` cgroup.procs