[release-1.35] server: Always include UID/GID mappings for user namespace containers#9713
Conversation
When containers join a user namespace via path, UID/GID mappings must still be included in the OCI spec. While the namespace path indicates which namespace to join, the mappings are essential for the runtime to properly handle file ownership operations, particularly cgroup delegation. Without these mappings, runtimes cannot chown the cgroup directory to the mapped UID 0, causing systemd containers to fail with "Permission denied" when attempting to create cgroups like /init.scope. This restores the behavior from v1.34.4 where both namespace path and mappings coexisted successfully. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Add integration test to verify that containers joining a user namespace via path still have UID/GID mappings in their OCI spec. This ensures proper cgroup delegation for systemd containers. The test verifies: - User namespace path is set (joining sandbox's userns) - uidMappings and gidMappings are present in config.json - Container can start successfully - Container can access cgroups This prevents regression of the issue fixed in the previous commit where missing mappings caused systemd containers to fail with "Permission denied" when creating cgroups. Regression test for: cri-o#9705 Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## release-1.35 #9713 +/- ##
================================================
- Coverage 67.57% 67.51% -0.06%
================================================
Files 209 209
Lines 29057 29056 -1
================================================
- Hits 19634 19618 -16
- Misses 7752 7762 +10
- Partials 1671 1676 +5 🚀 New features to boost your workflow:
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: openshift-cherrypick-robot, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
7deb12c
into
cri-o:release-1.35
This is an automated cherry-pick of #9712
/assign saschagrunert