Skip to content

[pull] main from containerd:main #235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pull merged 2 commits into from
Feb 6, 2026
Merged

[pull] main from containerd:main #235

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c3ba452
script/critest.sh: always skip OOMKilled on systemd cgroup
fuweid Jan 26, 2026
72d5139
Merge pull request #12819 from fuweid/followup-12714
fuweid Feb 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion contrib/Dockerfile.test.d/cri-in-userns/docker-entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ echo >&2 "Waiting for containerd"
until ctr plugins list; do sleep 3; done

if [ ! -z "$IS_SYSTEMD_CGROUP" ] && [ "$IS_SYSTEMD_CGROUP" = true ];then
critest "--ginkgo.skip=should prefer new apparmor field|should support apparmor field|should support deprecated apparmor_profile field|should support unsafe sysctls|should support safe sysctls|should allow privilege escalation when false"
critest "--ginkgo.skip=should prefer new apparmor field|should support apparmor field|should support deprecated apparmor_profile field|should support unsafe sysctls|should support safe sysctls|should allow privilege escalation when false|should terminate with exitCode 137 and reason OOMKilled"
/bin/bash /critest.sh exit
else
exec "$@"
Expand Down
69 changes: 35 additions & 34 deletions script/critest.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,40 +74,41 @@ GINKGO_SKIP_TEST=()
if [ -n "${SKIP_TEST:-}" ]; then
GINKGO_SKIP_TEST+=("--ginkgo.skip" "$SKIP_TEST")

# With the systemd cgroup driver, the container runtime uses a scope unit to
# manage the cgroup path. According to the scope unit documentation:
#
# Unlike service units, scope units have no “main” process: all processes in
# the scope are equivalent. The lifecycle of a scope unit is therefore not
# bound to a specific process, but to the existence of at least one process in
# the scope. As a result, individual process exit statuses are not relevant to
# the scope unit’s failure state.
#
# We cannot rely on CollectMode=inactive-or-failed to preserve the cgroup path.
# So there is a race condition between containerd and systemd garbage collection.
# If systemd GC removes the scope unit’s cgroup before containerd reads it,
# containerd loses the opportunity to inspect the cgroup and determine the OOM status.
#
# So we disable the OOMKilled testcase.
#
# FIXME(fuweid):
#
# In theory, this could be mitigated by inspecting the unit logs (e.g.
# `journalctl -u XXX.scope`) and searching for the "OOMKilled" keyword.
# However, this approach depends on journalctl and systemd logging behavior,
# so it should be avoided.
#
# Example journal output:
#
# Dec 22 01:24:58 devbox systemd[1]: Started /usr/bin/bash -c dd if=/dev/zero of=/dev/null bs=20M.
# Dec 22 01:24:58 devbox systemd[1]: XXX.service: A process of this unit has been killed by the OOM killer.
# Dec 22 01:24:58 devbox systemd[1]: XXX.service: Main process exited, code=killed, status=9/KILL
# Dec 22 01:24:58 devbox systemd[1]: XXX.service: Failed with result 'oom-kill'.
#
# Ref: https://www.freedesktop.org/software/systemd/man/latest/systemd.scope.html
if [ ! -z "$CGROUP_DRIVER" ] && [ "$CGROUP_DRIVER" = "systemd" ];then
GINKGO_SKIP_TEST+=("--ginkgo.skip" "should terminate with exitCode 137 and reason OOMKilled")
fi
fi

# With the systemd cgroup driver, the container runtime uses a scope unit to
# manage the cgroup path. According to the scope unit documentation:
#
# Unlike service units, scope units have no “main” process: all processes in
# the scope are equivalent. The lifecycle of a scope unit is therefore not
# bound to a specific process, but to the existence of at least one process in
# the scope. As a result, individual process exit statuses are not relevant to
# the scope unit’s failure state.
#
# We cannot rely on CollectMode=inactive-or-failed to preserve the cgroup path.
# So there is a race condition between containerd and systemd garbage collection.
# If systemd GC removes the scope unit’s cgroup before containerd reads it,
# containerd loses the opportunity to inspect the cgroup and determine the OOM status.
#
# So we disable the OOMKilled testcase.
#
# FIXME(fuweid):
#
# In theory, this could be mitigated by inspecting the unit logs (e.g.
# `journalctl -u XXX.scope`) and searching for the "OOMKilled" keyword.
# However, this approach depends on journalctl and systemd logging behavior,
# so it should be avoided.
#
# Example journal output:
#
# Dec 22 01:24:58 devbox systemd[1]: Started /usr/bin/bash -c dd if=/dev/zero of=/dev/null bs=20M.
# Dec 22 01:24:58 devbox systemd[1]: XXX.service: A process of this unit has been killed by the OOM killer.
# Dec 22 01:24:58 devbox systemd[1]: XXX.service: Main process exited, code=killed, status=9/KILL
# Dec 22 01:24:58 devbox systemd[1]: XXX.service: Failed with result 'oom-kill'.
#
# Ref: https://www.freedesktop.org/software/systemd/man/latest/systemd.scope.html
if [ ! -z "$CGROUP_DRIVER" ] && [ "$CGROUP_DRIVER" = "systemd" ];then
GINKGO_SKIP_TEST+=("--ginkgo.skip" "should terminate with exitCode 137 and reason OOMKilled")
fi

GINKGO_FOCUS_TEST=()
Expand Down
Loading