Currently, container is run without cgroup namespace, which creates non-functioning setup with cgroupv2 when cgroupv2 restrictions are enforced.
For example, the cgroup tree for docker without cgroup namespace is:
/sys/fs/cgroup/
docker/: <--- dockerd lives here.
containerA: <--- containerA lives here.
As a result, /sys/fs/cgroup/docker becomes domain threaded cgroup, and cgroup manipulation within containerA doesn't work properly.
I think it should be safe to enable creation of cgroup namespace by default, or at least when we are running under cgroupv2.
Currently, container is run without cgroup namespace, which creates non-functioning setup with cgroupv2 when cgroupv2 restrictions are enforced.
For example, the cgroup tree for docker without cgroup namespace is:
As a result,
/sys/fs/cgroup/dockerbecomesdomain threadedcgroup, and cgroup manipulation withincontainerAdoesn't work properly.I think it should be safe to enable creation of cgroup namespace by default, or at least when we are running under cgroupv2.