fix(cli): improve container detection when cgroupns=private (coder#15156)

DanielleMaywood · web-flow · commit 13f6645ab9df · 2024-10-21T15:28:32.000+01:00
Fixes coder#12721 If a container in docker is started with `--cgroupns=private` (which is the default behaviour in docker) then `/proc/1/cgroup` has the following content: ``` 0::/ ``` If a container in docker is started with `--cgroupns=host` then `/proc/1/cgroup` has the following content (hash will vary): ``` 0::/docker/aa86ac98959eeedeae0ecb6e0c9ddd8ae8b97a9d0fdccccf7ea7a474f4e0bb1f ``` Currently we are determining if a host is containerized by assuming the second scenario. This means the existing behaviour of sniffing `/proc/1/cgroup` is not always sufficient for checking if a host is containerized. According to [the cgroups(7) man-page](https://man7.org/linux/man-pages/man7/cgroups.7.html) there exists a `cgroup.type` file in a nonroot cgroup. This exists in Linux versions after `4.14`. > Linux 4.14 added thread mode for cgroups v2. > With the addition of thread mode, each nonroot cgroup now contains a new file, cgroup.type This means we can check for the existence of `/sys/fs/cgroup/cgroup.type` to see if we are in a container or not.
diff --git a/cli/clistat/container.go b/cli/clistat/container.go
@@ -12,6 +12,7 @@ import (
 const (
 	procMounts                           = "/proc/mounts"
 	procOneCgroup                        = "/proc/1/cgroup"
+	sysCgroupType                        = "/sys/fs/cgroup/cgroup.type"
 	kubernetesDefaultServiceAccountToken = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint:gosec
 )
 
@@ -65,6 +66,17 @@ func IsContainerized(fs afero.Fs) (ok bool, err error) {
 		}
 	}
 
+	// Adapted from https://github.com/systemd/systemd/blob/88bbf187a9b2ebe0732caa1e886616ae5f8186da/src/basic/virt.c#L603-L605
+	// The file `/sys/fs/cgroup/cgroup.type` does not exist on the root cgroup.
+	// If this file exists we can be sure we're in a container.
+	cgTypeExists, err := afero.Exists(fs, sysCgroupType)
+	if err != nil {
+		return false, xerrors.Errorf("check file exists %s: %w", sysCgroupType, err)
+	}
+	if cgTypeExists {
+		return true, nil
+	}
+
 	// If we get here, we are _probably_ not running in a container.
 	return false, nil
 }
diff --git a/cli/clistat/stat_internal_test.go b/cli/clistat/stat_internal_test.go
@@ -309,6 +309,12 @@ func TestIsContainerized(t *testing.T) {
 			Expected: true,
 			Error:    "",
 		},
+		{
+			Name:     "Docker (Cgroupns=private)",
+			FS:       fsContainerCgroupV2PrivateCgroupns,
+			Expected: true,
+			Error:    "",
+		},
 	} {
 		tt := tt
 		t.Run(tt.Name, func(t *testing.T) {
@@ -374,6 +380,12 @@ proc /proc/sys proc ro,nosuid,nodev,noexec,relatime 0 0`,
 		cgroupV2MemoryUsageBytes: "536870912",
 		cgroupV2MemoryStat:       "inactive_file 268435456",
 	}
+	fsContainerCgroupV2PrivateCgroupns = map[string]string{
+		procOneCgroup: "0::/",
+		procMounts: `overlay / overlay rw,relatime,lowerdir=/some/path:/some/path,upperdir=/some/path:/some/path,workdir=/some/path:/some/path 0 0
+proc /proc/sys proc ro,nosuid,nodev,noexec,relatime 0 0`,
+		sysCgroupType: "domain",
+	}
 	fsContainerCgroupV1 = map[string]string{
 		procOneCgroup: "0::/docker/aa86ac98959eeedeae0ecb6e0c9ddd8ae8b97a9d0fdccccf7ea7a474f4e0bb1f",
 		procMounts: `overlay / overlay rw,relatime,lowerdir=/some/path:/some/path,upperdir=/some/path:/some/path,workdir=/some/path:/some/path 0 0

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ import (`
`12`	`12`	`const (`
`13`	`13`	`procMounts = "/proc/mounts"`
`14`	`14`	`procOneCgroup = "/proc/1/cgroup"`
	`15`	`+ sysCgroupType = "/sys/fs/cgroup/cgroup.type"`
`15`	`16`	`kubernetesDefaultServiceAccountToken = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint:gosec`
`16`	`17`	`)`
`17`	`18`
`@@ -65,6 +66,17 @@ func IsContainerized(fs afero.Fs) (ok bool, err error) {`
`65`	`66`	`}`
`66`	`67`	`}`
`67`	`68`
	`69`	`+ // Adapted from https://github.com/systemd/systemd/blob/88bbf187a9b2ebe0732caa1e886616ae5f8186da/src/basic/virt.c#L603-L605`
	`70`	+ // The file `/sys/fs/cgroup/cgroup.type` does not exist on the root cgroup.
	`71`	`+ // If this file exists we can be sure we're in a container.`
	`72`	`+ cgTypeExists, err := afero.Exists(fs, sysCgroupType)`
	`73`	`+ if err != nil {`
	`74`	`+ return false, xerrors.Errorf("check file exists %s: %w", sysCgroupType, err)`
	`75`	`+ }`
	`76`	`+ if cgTypeExists {`
	`77`	`+ return true, nil`
	`78`	`+ }`
	`79`	`+`
`68`	`80`	`// If we get here, we are _probably_ not running in a container.`
`69`	`81`	`return false, nil`
`70`	`82`	`}`