pause process should only be started if pid namespace is specified #1066
Comments
|
Should we handle that in CRI-O? For example there: https://github.com/cri-o/cri-o/pull/6590/files#diff-dfc52cc2ef8431d1a8b470f203bb0ff238db57c42117957b71c50cf920600f4bR1104-R1116 |
|
we could, though the code could be simpler if we didn't need to differentiate there, and only needed to in conmon-rs. then, we could actually move away from pinns and have conmon-rs create namespaces unconditionally for the pod runtime |
|
@haircommander in CRI-O, the check would look like: sb.NamespaceOptions().GetPid() == types.NamespaceMode_PODShould we pass the |
|
conmon-rs already knows what the pid namespace will be because it's created if the user specifies pid in the RPC call. Even if we're bind mounting the pid namespace from the host, there's already a process holding it open (systemd) so we don't need to spawn a pause process. We only need the pause process if the user requested a pod level pid namespace |
|
so it is my thinking that we conditionally create the pause process, but then in cri-o always call into conmon-rs to create our namespaces for the pod. |
We do not have to create the pause process on `CreateNamespaces` if no PID namespace should be unshared. In this case we now return a dedicated error and let the users decide what to do with it. Fixes containers#1066 Signed-off-by: Sascha Grunert <[email protected]>
We do not have to create the pause process on `CreateNamespaces` if no PID namespace should be unshared. In this case we now return a dedicated error and let the users decide what to do with it. Fixes containers#1066 Signed-off-by: Sascha Grunert <[email protected]>
We do not have to create the pause process on `CreateNamespaces` if no PID namespace should be unshared. In this case we now return a dedicated error and let the users decide what to do with it. Fixes containers#1066 Signed-off-by: Sascha Grunert <[email protected]>
We do not have to create the pause process on `CreateNamespaces` if no PID namespace should be unshared. In this case we now return a dedicated error and let the users decide what to do with it. Fixes containers#1066 Signed-off-by: Sascha Grunert <[email protected]>
We do not have to create the pause process on `CreateNamespaces` if no PID namespace should be unshared. In this case we now return a dedicated error and let the users decide what to do with it. Fixes containers#1066 Signed-off-by: Sascha Grunert <[email protected]>
We do not have to create the pause process on `CreateNamespaces` if no PID namespace should be unshared. In this case we now return a dedicated error and let the users decide what to do with it. Fixes containers#1066 Signed-off-by: Sascha Grunert <[email protected]>
It's possible we do this now, but the pause process should only be created and tracked if the pod has a pod level pid namespace. Otherwise, we're needlessly creating the infra container again (with less overhead, but still).
The text was updated successfully, but these errors were encountered: