`/sys/fs/cgroup/<subsystem>/tasks` file is empty when setns to another cgroup namespace

Aleksa Sarai asarai at suse.de
Wed Feb 8 12:45:59 UTC 2017


> In a word, the conclusion is that if a process uses `setns()` to join
> another process’s cgroup namespace without being moved to the target
> cgroupns-root, then after we remount cgroupfs inside the cgroup
> namespace, the shared process’s `/sys/fs/cgroup/<subsystem>/tasks`
> file would be the same as the target process’s if the two process are in
> the same pid namespace, while this file would be empty if the two
> processes are in different pid namespaces (probably it’s because that
> the shared process cannot see the pid of the target process).

This is expected, for two reasons:

1. When doing a mount of cgroupfs, the root of the mount is going to be 
the cgroup that the cgroup namespace was created in. This means that if 
your process is not in that cgroup, you won't see it in the tasks file.

2. You cannot see processes that are not in your pid namespace inside 
the tasks file.

Thus, the file is empty because no process inside your container is in 
the cgroup that is the root of your cgroup namespace.

Overall, the way this should be handled is that doing 
--cgroup=<container> should also involve setting `cgroupsPath` in the 
OCI configuration to also be the same as the cgroup associated with the 
cgroup namespace.

-- 
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/


More information about the Containers mailing list