In a word, the conclusion is that if a process uses `setns()` to join
another process’s cgroup namespace without being moved to the target
cgroupns-root, then after we remount cgroupfs inside the cgroup
namespace, the shared process’s `/sys/fs/cgroup/<subsystem>/tasks`
file would be the same as the target process’s if the two process are in
the same pid namespace, while this file would be empty if the two
processes are in different pid namespaces (probably it’s because that
the shared process cannot see the pid of the target process).
This is expected, for two reasons:
1. When doing a mount of cgroupfs, the root of the mount is going to be
the cgroup that the cgroup namespace was created in. This means that if
your process is not in that cgroup, you won't see it in the tasks file.
2. You cannot see processes that are not in your pid namespace inside
the tasks file.
Thus, the file is empty because no process inside your container is in
the cgroup that is the root of your cgroup namespace.
Overall, the way this should be handled is that doing
--cgroup=<container> should also involve setting `cgroupsPath` in the
OCI configuration to also be the same as the cgroup associated with the
cgroup namespace.
--
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
