Limit OOMScoreAdj when running in UserNS ("Rootful-in-Rootless")

Fix issue 46563 "Rootful-in-Rootless dind doesn't work since systemd v250 (due to oom score adj)" Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit ad87727) > Conflicts: > daemon/oci_linux.go Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
moby · Oct 11, 2023 · 58c1c7b · 58c1c7b
1 parent 3b09657
commit 58c1c7b
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
@@ -113,6 +113,15 @@ func WithRootless(daemon *Daemon) coci.SpecOpts {
 	}
 }
 
+// withRootfulInRootless is used for "rootful-in-rootless" dind;
+// the daemon is running in UserNS but has no access to RootlessKit API socket, host filesystem, etc.
+func withRootfulInRootless(daemon *Daemon, daemonCfg *dconfig.Config) coci.SpecOpts {
+	return func(_ context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
+		specconv.ToRootfulInRootless(s)
+		return nil
+	}
+}
+
 // WithOOMScore sets the oom score
 func WithOOMScore(score *int) coci.SpecOpts {
 	return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
@@ -1091,6 +1100,8 @@ func (daemon *Daemon) createSpec(ctx context.Context, c *container.Container) (r
 	}
 	if daemon.configStore.Rootless {
 		opts = append(opts, WithRootless(daemon))
+	} else if userns.RunningInUserNS() {
+		opts = append(opts, withRootfulInRootless(daemon, daemon.configStore))
 	}
 
 	var snapshotter, snapshotKey string

diff --git a/pkg/rootless/specconv/specconv_linux.go b/pkg/rootless/specconv/specconv_linux.go
@@ -12,6 +12,20 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+// ToRootfulInRootless is used for "rootful-in-rootless" dind;
+// the daemon is running in UserNS but has no access to RootlessKit API socket, host filesystem, etc.
+//
+// This fuction does:
+// * Fix up OOMScoreAdj (needed since systemd v250: https://github.com/moby/moby/issues/46563)
+func ToRootfulInRootless(spec *specs.Spec) {
+	if spec.Process == nil || spec.Process.OOMScoreAdj == nil {
+		return
+	}
+	if currentOOMScoreAdj := getCurrentOOMScoreAdj(); *spec.Process.OOMScoreAdj < currentOOMScoreAdj {
+		*spec.Process.OOMScoreAdj = currentOOMScoreAdj
+	}
+}
+
 // ToRootless converts spec to be compatible with "rootless" runc.
 // * Remove non-supported cgroups
 // * Fix up OOMScoreAdj