Reputation: 264
Error 50007 when creating cgroup with cgroup_new_cgroup
I have a process running in a docker container (docker puts that processes in a cgroup btw). The process forks and I want to put some forks into cgroups.
I added the following code to my program:
cgroup_init();
struct cgroup *my_cgroup = cgroup_new_cgroup(cg_name);
cgroup_add_controller(my_cgroup, "cpu");
int cgroup_cr = cgroup_create_cgroup_from_parent(my_cgroup, 0);
The cgroup_r is 50007 ("Cgroup, operation not allowed"). I don't know why that is? Is there some configuration I need to change? Is a capability needed?
Upvotes: 0
Views: 712
Answers (1)
Reputation: 264831
I believe access to modify cgroups would allow a process to escape the docker container, so docker would disable that by default. You can test if the problem is with only a capability by running your container with:
docker run --cap-add=ALL ...
More than likely, you'll need a privilege like SYS_ADMIN and will be able to reduce the capabilities added to just your specific items.
If adding capabilities does not resolve your issue, you can remove all restrictions with:
docker run --privileged ...
More details can be found on:
Upvotes: 0
Related Questions
- Raspbian docker: Error response from daemon: cgroups: memory cgroup not supported on this system: unknown
- how to use cgroup_conf in docker?
- How to enable CFS cgroup support in Debian/Ubuntu
- Gentoo Linux: Docker container doesn't start: cgroup v2
- Is a newly created Docker container associated with a new cgroup?
- Mounting cgroups for Resource Management in Docker
- Docker: Devices cgroup isn’t mounted (Ubuntu 16.04)
- Mounting cgroups inside a docker container
- Docker warning on cgroup swap limit, memory.use_hierarchy
- Error writing to cgroup parameter cpu.rt_runtime_us