diff --git a/pkg/specgen/generate/oci_linux.go b/pkg/specgen/generate/oci_linux.go index e44a23e4bc..6dc1dc28bb 100644 --- a/pkg/specgen/generate/oci_linux.go +++ b/pkg/specgen/generate/oci_linux.go @@ -125,11 +125,12 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt } g.AddMount(sysMnt) g.RemoveMount("/sys/fs/cgroup") + sysFsCgroupMnt := spec.Mount{ Destination: "/sys/fs/cgroup", - Type: define.TypeBind, + Type: "cgroup", Source: "/sys/fs/cgroup", - Options: []string{"rprivate", "nosuid", "noexec", "nodev", r, "rbind"}, + Options: []string{"rprivate", "nosuid", "noexec", "nodev", r}, } g.AddMount(sysFsCgroupMnt) if !s.Privileged && isRootless { diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 0293a27baa..f5f8c09133 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -1167,6 +1167,10 @@ EOF # verify that the last /sys/fs/cgroup mount is read-only run_podman run --net=host --cgroupns=host --rm $IMAGE sh -c "grep ' / /sys/fs/cgroup ' /proc/self/mountinfo | tail -n 1" assert "$output" =~ "/sys/fs/cgroup ro" + + # verify that it works also with a cgroupns + run_podman run --net=host --cgroupns=private --rm $IMAGE sh -c "grep ' / /sys/fs/cgroup ' /proc/self/mountinfo | tail -n 1" + assert "$output" =~ "/sys/fs/cgroup ro" fi }