rootless runc exec causes panic: cannot statfs cgroup root (When /sys is not mounted)

[coryb]

Seeing a panic from runc exec when run with rootlesskit.

Here is the full stack, runc built from latest master

panic: cannot statfs cgroup root

goroutine 1 [running, locked to thread]:
github.com/opencontainers/runc/libcontainer/cgroups.IsCgroup2UnifiedMode.func1()
        /go/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go:45 +0xc5
sync.(*Once).doSlow(0x56030c2f2dd8, 0x56030c00ccc0)
        /usr/lib/go-1.15/src/sync/once.go:66 +0xee
sync.(*Once).Do(...)
        /usr/lib/go-1.15/src/sync/once.go:57
github.com/opencontainers/runc/libcontainer/cgroups.IsCgroup2UnifiedMode(0x20)
        /go/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go:42 +0x5a
github.com/opencontainers/runc/libcontainer.cgroupfs(0xc0001ae120, 0xc00000f000, 0x56030c021f00, 0x56030c29da60)
        /go/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:121 +0x28
github.com/opencontainers/runc/libcontainer.Cgroupfs(...)
        /go/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:134
github.com/opencontainers/runc/libcontainer.New(0x0, 0x0, 0x0, 0x0, 0x0, 0xc0001aad88, 0x56030c021f60, 0xc000253618, 0x0)
        /go/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:199 +0x165
main.glob..func6(0xc00012e840, 0x0, 0xc000059b60)
        /go/src/github.com/opencontainers/runc/init.go:42 +0x39
github.com/urfave/cli.HandleAction(0x56030bf6e900, 0x56030c00dd18, 0xc00012e840, 0xc00012e840, 0x0)
        /go/src/github.com/opencontainers/runc/vendor/github.com/urfave/cli/app.go:523 +0xfd
github.com/urfave/cli.Command.Run(0x56030bc94f87, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x56030bcb2599, 0x51, 0x0, ...)
        /go/src/github.com/opencontainers/runc/vendor/github.com/urfave/cli/command.go:174 +0x58e
github.com/urfave/cli.(*App).Run(0xc0001208c0, 0xc00000e080, 0x2, 0x2, 0x0, 0x0)
        /go/src/github.com/opencontainers/runc/vendor/github.com/urfave/cli/app.go:276 +0x7d4
main.main()
        /go/src/github.com/opencontainers/runc/main.go:151 +0xc6c
exec failed: container_linux.go:370: starting container process caused: read init-p: connection reset by peer

Currently seeing this via some work I am doing on buildkit, I have not tried to narrow it down outside of buildkit yet.

cc @AkihiroSuda

[AkihiroSuda]

The cause is that BuildKit doesn't mount /sys: https://github.com/moby/buildkit/blob/3aa7902d40d8a7fe911ee35488985cb58a346710/util/rootless/specconv/specconv_linux.go#L29

moby/buildkit#1627 (comment)

[cyphar]

A panic is less than ideal, but runc cannot work without cgroupfs -- it would be unsafe to create containers without at least the devices cgroup (or the whole eBPF rule setup under cgroupv2).

[AkihiroSuda]

@cyphar This issue is about rootless mode

[cyphar]

@AkihiroSuda Ah sorry, I missed the mention of RootlessKit in the description.

[cyphar]

@ashwani29 No. A rootless container is a container which is configured and created by an unprivileged user (in contrast to standard Docker-like setups where the whole thing is configured by a daemon that runs as root). The most likely reason why sudo ... isn't working in your container is that most containers don't include a sudo binary (the "sudo" package isn't usually installed for container images because it's a waste of space -- most containers don't need sudo anyway).

[cyphar]

Your questions aren't related to this issue, and you're basically asking for us to help you with checkpoint-restore/criu#1199. I posted a comment there, but I would really appreciate it if you'd stop commenting on unrelated issues with support questions (I believe this is at least the third time you've done this now).

[cyphar]

#2634 was merged.