From 3164926feb079a4ae4b3942a367432a98075389a Mon Sep 17 00:00:00 2001 From: arnaudberger Date: Wed, 3 Jun 2026 02:19:55 -0400 Subject: [PATCH] fix(atelet): set OCI CgroupsPath so each actor gets its own cgroup --- cmd/atelet/oci.go | 27 ++++++++++++++++----------- cmd/atelet/oci_test.go | 18 ++++++++++++++++++ 2 files changed, 34 insertions(+), 11 deletions(-) diff --git a/cmd/atelet/oci.go b/cmd/atelet/oci.go index 3bf7503f6..da06af2bc 100644 --- a/cmd/atelet/oci.go +++ b/cmd/atelet/oci.go @@ -67,7 +67,21 @@ func prepareOCIDirectory(ctx context.Context, pullCache *memorypullcache.MemoryP } envVars = append(envVars, env...) - ociSpec := &specs.Spec{ + ociSpec := buildSpec(args, envVars, annotations, netns, actorTemplateNamespace, actorTemplateName, actorID, containerName) + ociSpecBytes, err := json.MarshalIndent(ociSpec, "", " ") + if err != nil { + return fmt.Errorf("while marshaling OCI spec: %w", err) + } + specPath := path.Join(bundlePath, "config.json") + if err := os.WriteFile(specPath, ociSpecBytes, 0o600); err != nil { + return fmt.Errorf("while writing OCI spec: %w", err) + } + + return nil +} + +func buildSpec(args, envVars []string, annotations map[string]string, netns, actorTemplateNamespace, actorTemplateName, actorID, containerName string) *specs.Spec { + return &specs.Spec{ Process: &specs.Process{ User: specs.User{ UID: 0, @@ -142,6 +156,7 @@ func prepareOCIDirectory(ctx context.Context, pullCache *memorypullcache.MemoryP }, }, Linux: &specs.Linux{ + CgroupsPath: path.Join("actors", actorTemplateNamespace, actorTemplateName, actorID, containerName), Namespaces: []specs.LinuxNamespace{ { Type: "pid", @@ -163,16 +178,6 @@ func prepareOCIDirectory(ctx context.Context, pullCache *memorypullcache.MemoryP }, Annotations: annotations, } - ociSpecBytes, err := json.MarshalIndent(ociSpec, "", " ") - if err != nil { - return fmt.Errorf("while marshaling OCI spec: %w", err) - } - specPath := path.Join(bundlePath, "config.json") - if err := os.WriteFile(specPath, ociSpecBytes, 0o600); err != nil { - return fmt.Errorf("while writing OCI spec: %w", err) - } - - return nil } func validateTarName(name string) (cleaned string, skip bool, err error) { diff --git a/cmd/atelet/oci_test.go b/cmd/atelet/oci_test.go index 4fbaf6a58..f3d8ef158 100644 --- a/cmd/atelet/oci_test.go +++ b/cmd/atelet/oci_test.go @@ -450,3 +450,21 @@ func TestUntar_TruncatedArchive(t *testing.T) { t.Errorf("error = %v, want it to surface the underlying tar/copy error", err) } } + +func TestBuildSpec(t *testing.T) { + spec := buildSpec( + []string{"/bin/sh"}, + []string{"PATH=/usr/bin"}, + map[string]string{"k": "v"}, + "/var/run/netns/foo", + "actorTemplateNamespace", + "actorTemplateName", + "actorID", + "123", + ) + + wantCgroups := "actors/actorTemplateNamespace/actorTemplateName/actorID/123" + if got := spec.Linux.CgroupsPath; got != wantCgroups { + t.Errorf("Linux.CgroupsPath = %q, want %q", got, wantCgroups) + } +}