Skip to content

Commit

Permalink
join the cgroup after the initial setup finished
Browse files Browse the repository at this point in the history
We should join the cgroup after the initial setup finished,
but before runc init clone new children processes. (#4427)
Because we should try our best to reduce the influence of
memory cgroup accounting from all runc init processes
before we start the container init process.

Signed-off-by: lifubang <[email protected]>
  • Loading branch information
lifubang committed Oct 13, 2024
1 parent 0683379 commit 34f1d3b
Showing 1 changed file with 7 additions and 4 deletions.
11 changes: 7 additions & 4 deletions libcontainer/process_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -407,6 +407,13 @@ func (p *initProcess) start() (retErr error) {
}
}()

// We should join the cgroup after the initial setup finished,
// but before runc init clone new children processes. (#4427)
err = <-waitInit
if err != nil {
return err
}

// Do this before syncing with child so that no children can escape the
// cgroup. We don't need to worry about not doing this and not being root
// because we'd be using the rootless cgroup manager in that case.
Expand All @@ -421,10 +428,6 @@ func (p *initProcess) start() (retErr error) {
if _, err := io.Copy(p.messageSockPair.parent, p.bootstrapData); err != nil {
return fmt.Errorf("can't copy bootstrap data to pipe: %w", err)
}
err = <-waitInit
if err != nil {
return err
}

childPid, err := p.getChildPid()
if err != nil {
Expand Down

0 comments on commit 34f1d3b

Please sign in to comment.