config-linux: MAY reject an unfit cgroup

kolyshkin · kolyshkin · commit 950e18e39e59 · 2021-09-27T14:41:55.000-07:00
It makes sense for runtime to reject a cgroup which is frozen (for both new and existing container), otherwise the runtime command will just end up stuck. It makes sense for runtime to make sure the cgroup for a new container is empty (i.e. there are no processes it in), and reject it otherwise. The scenario in which a non-empty cgroup is used for a new container has multiple problems, for example: * If two or more containers share the same cgroup, and each container has its own limits configured, the order of container starts ultimately determines whose limits will be effectively applied. * If two or more containers share the same cgroup, and one of containers is paused/unpaused, all others are paused, too. * If cgroup.kill is used to forcefully kill the container, it will also kill other processes that are not part of this container but merely belong to the same cgroup. * When a systemd cgroup manager is used, this becomes even worse. Such as, stop (or even failed start) of any container results in stopTransientUnit command being sent to systemd, and so (depending on unit properties) other containers can receive SIGTERM, be killed after a timeout etc. * Many other bad scenarios are possible, as the implicit assumption of 1:1 container:cgroup mapping is broken. opencontainers/runc#3132 containers/crun#716 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
diff --git a/config-linux.md b/config-linux.md
@@ -185,6 +185,9 @@ If the value is specified, the runtime MUST consistently attach to the same plac
 If the value is not specified, the runtime MAY define the default cgroups path.
 Runtimes MAY consider certain `cgroupsPath` values to be invalid, and MUST generate an error if this is the case.
 
+Runtimes MAY reject a cgroup which it deems unfit; in particular, a frozen
+cgroup or, for a new container, a non-empty cgroup.
+
 Implementations of the Spec can choose to name cgroups in any manner.
 The Spec does not include naming schema for cgroups.
 The Spec does not support per-controller paths for the reasons discussed in the [cgroupv2 documentation][cgroup-v2].
