diff --git a/cli/clistat/container.go b/cli/clistat/container.go
index bfe9718ad70be..b58d32591b907 100644
--- a/cli/clistat/container.go
+++ b/cli/clistat/container.go
@@ -12,6 +12,7 @@ import (
const (
procMounts = "/proc/mounts"
procOneCgroup = "/proc/1/cgroup"
+ sysCgroupType = "/sys/fs/cgroup/cgroup.type"
kubernetesDefaultServiceAccountToken = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint:gosec
)
@@ -65,6 +66,17 @@ func IsContainerized(fs afero.Fs) (ok bool, err error) {
}
}
+ // Adapted from https://github.com/systemd/systemd/blob/88bbf187a9b2ebe0732caa1e886616ae5f8186da/src/basic/virt.c#L603-L605
+ // The file `/sys/fs/cgroup/cgroup.type` does not exist on the root cgroup.
+ // If this file exists we can be sure we're in a container.
+ cgTypeExists, err := afero.Exists(fs, sysCgroupType)
+ if err != nil {
+ return false, xerrors.Errorf("check file exists %s: %w", sysCgroupType, err)
+ }
+ if cgTypeExists {
+ return true, nil
+ }
+
// If we get here, we are _probably_ not running in a container.
return false, nil
}
diff --git a/cli/clistat/stat_internal_test.go b/cli/clistat/stat_internal_test.go
index 10a09c178f8e8..48d991cdc1fc9 100644
--- a/cli/clistat/stat_internal_test.go
+++ b/cli/clistat/stat_internal_test.go
@@ -309,6 +309,12 @@ func TestIsContainerized(t *testing.T) {
Expected: true,
Error: "",
},
+ {
+ Name: "Docker (Cgroupns=private)",
+ FS: fsContainerCgroupV2PrivateCgroupns,
+ Expected: true,
+ Error: "",
+ },
} {
tt := tt
t.Run(tt.Name, func(t *testing.T) {
@@ -374,6 +380,12 @@ proc /proc/sys proc ro,nosuid,nodev,noexec,relatime 0 0`,
cgroupV2MemoryUsageBytes: "536870912",
cgroupV2MemoryStat: "inactive_file 268435456",
}
+ fsContainerCgroupV2PrivateCgroupns = map[string]string{
+ procOneCgroup: "0::/",
+ procMounts: `overlay / overlay rw,relatime,lowerdir=/some/path:/some/path,upperdir=/some/path:/some/path,workdir=/some/path:/some/path 0 0
+proc /proc/sys proc ro,nosuid,nodev,noexec,relatime 0 0`,
+ sysCgroupType: "domain",
+ }
fsContainerCgroupV1 = map[string]string{
procOneCgroup: "0::/docker/aa86ac98959eeedeae0ecb6e0c9ddd8ae8b97a9d0fdccccf7ea7a474f4e0bb1f",
procMounts: `overlay / overlay rw,relatime,lowerdir=/some/path:/some/path,upperdir=/some/path:/some/path,workdir=/some/path:/some/path 0 0
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy