daemon/&container/: enable --security-opt writable-cgroups=true as an option

Fixes #42040 Closes #42043 Rather than making cgroups read-write by default, instead have a flag for making it possible. Since these security options are passed through the cli to daemon API, no changes are needed to docker-cli. Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2026-01-11 18:51:37 +00:00 · 2024-11-06 06:48:12 -05:00
parent 033f97519c
commit e3cdd59a82
4 changed files with 15 additions and 1 deletions
--- a/container/container.go
+++ b/container/container.go
@@ -127,6 +127,7 @@ type SecurityOptions struct {
 	AppArmorProfile string
 	SeccompProfile  string
 	NoNewPrivileges bool
+	WritableCgroups bool
 }

 type localLogCacheMeta struct {
--- a/daemon/daemon_unix.go
+++ b/daemon/daemon_unix.go
@@ -251,6 +251,12 @@ func parseSecurityOpt(securityOptions *container.SecurityOptions, config *contai
 				return fmt.Errorf("invalid --security-opt 2: %q", opt)
 			}
 			securityOptions.NoNewPrivileges = nnp
+		case "writable-cgroups":
+			writableCgroups, err := strconv.ParseBool(v)
+			if err != nil {
+				return fmt.Errorf("invalid --security-opt 2: %q", opt)
+			}
+			securityOptions.WritableCgroups = writableCgroups
 		default:
 			return fmt.Errorf("invalid --security-opt 2: %q", opt)
 		}
--- a/daemon/daemon_unix_test.go
+++ b/daemon/daemon_unix_test.go
@@ -161,6 +161,13 @@ func TestParseSecurityOpt(t *testing.T) {
 		})
 		assert.Error(t, err, `invalid --security-opt 2: "unknown=something"`)
 	})
+	t.Run("invalid cgroup option", func(t *testing.T) {
+		secOpts := &container.SecurityOptions{}
+		err := parseSecurityOpt(secOpts, &containertypes.HostConfig{
+			SecurityOpt: []string{"writable-cgroups=dang"},
+		})
+		assert.Error(t, err, `invalid --security-opt 2: "writable-cgroups=dang"`)
+	})
 }

 func TestParseNNPSecurityOptions(t *testing.T) {
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -666,7 +666,7 @@ func withMounts(daemon *Daemon, daemonCfg *configStore, c *container.Container,

 		// TODO: until a kernel/mount solution exists for handling remount in a user namespace,
 		// we must clear the readonly flag for the cgroups mount (@mrunalp concurs)
-		if uidMap := daemon.idMapping.UIDMaps; uidMap != nil || c.HostConfig.Privileged {
+		if uidMap := daemon.idMapping.UIDMaps; uidMap != nil || c.HostConfig.Privileged || c.WritableCgroups {
 			for i, m := range s.Mounts {
 				if m.Type == "cgroup" {
 					clearReadOnly(&s.Mounts[i])