0

I have a process running in a docker container (docker puts that processes in a cgroup btw). The process forks and I want to put some forks into cgroups.

I added the following code to my program:

cgroup_init();

struct cgroup *my_cgroup = cgroup_new_cgroup(cg_name);
cgroup_add_controller(my_cgroup, "cpu");

int cgroup_cr = cgroup_create_cgroup_from_parent(my_cgroup, 0);

The cgroup_r is 50007 ("Cgroup, operation not allowed"). I don't know why that is? Is there some configuration I need to change? Is a capability needed?

sreepurna
  • 1,562
  • 2
  • 17
  • 32
Phillipp
  • 264
  • 3
  • 14

1 Answers1

0

I believe access to modify cgroups would allow a process to escape the docker container, so docker would disable that by default. You can test if the problem is with only a capability by running your container with:

docker run --cap-add=ALL ...

More than likely, you'll need a privilege like SYS_ADMIN and will be able to reduce the capabilities added to just your specific items.

If adding capabilities does not resolve your issue, you can remove all restrictions with:

docker run --privileged ...

More details can be found on:

BMitch
  • 231,797
  • 42
  • 475
  • 450
  • Actually, I have found the problem to be something completely else, but your answer was the missing link: the program itself used libcap to drop capabilities (as root) and couldn't access the cgroup fs any longer. Adding CAP_DAC_OVERRIDE to the cap-list solved the problem. – Phillipp Sep 08 '17 at 08:57