|
| 1 | +From 970b5d46bc30b5aafe16c4fbb245500f885cc9cd Mon Sep 17 00:00:00 2001 |
| 2 | +From: Arjun Yogidas <arjunry@amazon.com> |
| 3 | +Date: Thu, 16 Apr 2026 18:24:24 +0000 |
| 4 | +Subject: [PATCH] Fix TestCgroupNamespace failure on cgroups v1 hosts |
| 5 | + |
| 6 | +Signed-off-by: Arjun Yogidas <arjunry@amazon.com> |
| 7 | +--- |
| 8 | + .../cri/server/container_create_linux_test.go | 31 +++++++++++++++++-- |
| 9 | + 1 file changed, 28 insertions(+), 3 deletions(-) |
| 10 | + |
| 11 | +diff --git a/internal/cri/server/container_create_linux_test.go b/internal/cri/server/container_create_linux_test.go |
| 12 | +index 8151be9a47c40..f376ee04535e2 100644 |
| 13 | +--- a/internal/cri/server/container_create_linux_test.go |
| 14 | ++++ b/internal/cri/server/container_create_linux_test.go |
| 15 | +@@ -487,6 +487,8 @@ func TestPrivilegedBindMount(t *testing.T) { |
| 16 | + } |
| 17 | + } |
| 18 | + |
| 19 | ++// TestCgroupNamespace verifies that a cgroup namespace is only assigned to |
| 20 | ++// non-privileged containers on cgroupv2 hosts. |
| 21 | + func TestCgroupNamespace(t *testing.T) { |
| 22 | + testPid := uint32(1234) |
| 23 | + c := newTestCRIService() |
| 24 | +@@ -498,27 +500,50 @@ func TestCgroupNamespace(t *testing.T) { |
| 25 | + tests := []struct { |
| 26 | + desc string |
| 27 | + privileged bool |
| 28 | ++ requireCgroupV2 bool |
| 29 | + expectCgroupNamespace bool |
| 30 | + }{ |
| 31 | + { |
| 32 | +- desc: "non-privileged container should get cgroup namespace", |
| 33 | ++ desc: "cgroupv2: non-privileged container should get cgroup namespace", |
| 34 | + privileged: false, |
| 35 | ++ requireCgroupV2: true, |
| 36 | + expectCgroupNamespace: true, |
| 37 | + }, |
| 38 | + { |
| 39 | +- desc: "privileged container should not get cgroup namespace", |
| 40 | ++ desc: "cgroupv2: privileged container should not get cgroup namespace", |
| 41 | + privileged: true, |
| 42 | ++ requireCgroupV2: true, |
| 43 | ++ expectCgroupNamespace: false, |
| 44 | ++ }, |
| 45 | ++ { |
| 46 | ++ desc: "cgroupv1: non-privileged container should not get cgroup namespace", |
| 47 | ++ privileged: false, |
| 48 | ++ requireCgroupV2: false, |
| 49 | ++ expectCgroupNamespace: false, |
| 50 | ++ }, |
| 51 | ++ { |
| 52 | ++ desc: "cgroupv1: privileged container should not get cgroup namespace", |
| 53 | ++ privileged: true, |
| 54 | ++ requireCgroupV2: false, |
| 55 | + expectCgroupNamespace: false, |
| 56 | + }, |
| 57 | + } |
| 58 | + |
| 59 | + for _, tt := range tests { |
| 60 | + t.Run(tt.desc, func(t *testing.T) { |
| 61 | ++ // Skip if the host's cgroup mode doesn't match what the test case requires. |
| 62 | ++ if tt.requireCgroupV2 && !isUnifiedCgroupsMode() { |
| 63 | ++ t.Skip("requires cgroups v2") |
| 64 | ++ } |
| 65 | ++ if !tt.requireCgroupV2 && isUnifiedCgroupsMode() { |
| 66 | ++ t.Skip("requires cgroups v1") |
| 67 | ++ } |
| 68 | ++ |
| 69 | + containerConfig.Linux.SecurityContext.Privileged = tt.privileged |
| 70 | + sandboxConfig.Linux.SecurityContext.Privileged = tt.privileged |
| 71 | + |
| 72 | + spec, err := c.buildContainerSpec(currentPlatform, t.Name(), testSandboxID, testPid, "", testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime, nil) |
| 73 | +- assert.NoError(t, err) |
| 74 | ++ require.NoError(t, err) |
| 75 | + |
| 76 | + hasCgroupNS := false |
| 77 | + for _, ns := range spec.Linux.Namespaces { |
0 commit comments