From 64704495c9ef9cfc4678e9ba3bed7d0e7150dc65 Mon Sep 17 00:00:00 2001 From: Danielle Maywood Date: Mon, 21 Oct 2024 08:56:54 +0000 Subject: [PATCH] fix(cli): IsContainerized return true when cgroupns=private --- cli/clistat/container.go | 12 ++++++++++++ cli/clistat/stat_internal_test.go | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/cli/clistat/container.go b/cli/clistat/container.go index bfe9718ad70be..b58d32591b907 100644 --- a/cli/clistat/container.go +++ b/cli/clistat/container.go @@ -12,6 +12,7 @@ import ( const ( procMounts = "/proc/mounts" procOneCgroup = "/proc/1/cgroup" + sysCgroupType = "/sys/fs/cgroup/cgroup.type" kubernetesDefaultServiceAccountToken = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint:gosec ) @@ -65,6 +66,17 @@ func IsContainerized(fs afero.Fs) (ok bool, err error) { } } + // Adapted from https://github.com/systemd/systemd/blob/88bbf187a9b2ebe0732caa1e886616ae5f8186da/src/basic/virt.c#L603-L605 + // The file `/sys/fs/cgroup/cgroup.type` does not exist on the root cgroup. + // If this file exists we can be sure we're in a container. + cgTypeExists, err := afero.Exists(fs, sysCgroupType) + if err != nil { + return false, xerrors.Errorf("check file exists %s: %w", sysCgroupType, err) + } + if cgTypeExists { + return true, nil + } + // If we get here, we are _probably_ not running in a container. return false, nil } diff --git a/cli/clistat/stat_internal_test.go b/cli/clistat/stat_internal_test.go index 10a09c178f8e8..48d991cdc1fc9 100644 --- a/cli/clistat/stat_internal_test.go +++ b/cli/clistat/stat_internal_test.go @@ -309,6 +309,12 @@ func TestIsContainerized(t *testing.T) { Expected: true, Error: "", }, + { + Name: "Docker (Cgroupns=private)", + FS: fsContainerCgroupV2PrivateCgroupns, + Expected: true, + Error: "", + }, } { tt := tt t.Run(tt.Name, func(t *testing.T) { @@ -374,6 +380,12 @@ proc /proc/sys proc ro,nosuid,nodev,noexec,relatime 0 0`, cgroupV2MemoryUsageBytes: "536870912", cgroupV2MemoryStat: "inactive_file 268435456", } + fsContainerCgroupV2PrivateCgroupns = map[string]string{ + procOneCgroup: "0::/", + procMounts: `overlay / overlay rw,relatime,lowerdir=/some/path:/some/path,upperdir=/some/path:/some/path,workdir=/some/path:/some/path 0 0 +proc /proc/sys proc ro,nosuid,nodev,noexec,relatime 0 0`, + sysCgroupType: "domain", + } fsContainerCgroupV1 = map[string]string{ procOneCgroup: "0::/docker/aa86ac98959eeedeae0ecb6e0c9ddd8ae8b97a9d0fdccccf7ea7a474f4e0bb1f", procMounts: `overlay / overlay rw,relatime,lowerdir=/some/path:/some/path,upperdir=/some/path:/some/path,workdir=/some/path:/some/path 0 0 pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy