Still got an occasional "permission denied" error while cgroup frozen failed.

[jiusanzhou]

Description

Currenty we have frozen the container to avoid the container get
an occasional "permission denied" error, while the systemd's application of device
rules is done disruptively.

But when the processes in the container can not be frozen over 2 seconds, we still update the cgroup which resulting the container get
an occasional "permission denied" error in some cases.

The code in libcontainer/cgroups/systemd/v1.go

func (m *LegacyManager) Set(r *configs.Resources) error {
	if needsFreeze {
		if err := m.doFreeze(configs.Frozen); err != nil {
			// If freezer cgroup isn't supported, we just warn about it.
			logrus.Infof("freeze container before SetUnitProperties failed: %v", err)
		}
	}
	setErr := setUnitProperties(m.dbus, unitName, properties...)
}

btw, 2 seconds set in libcontainer/cgroups/fs/freezer.go

func (s *FreezerGroup) Set(path string, r *configs.Resources) (Err error) {
	for i := 0; i < 1000; i++ {
		time.Sleep(10 * time.Microsecond)
	}
}

Steps to reproduce the issue

1. Kubelet and containerd, which with systemd v1 as cgroup driver;
2. Start a container which start a process that reads the urandom device 1 time per second;
3. Start some process with D state in the container.

Describe the results you received and expected

Avoid an occasional "permission denied" error.

What version of runc are you using?

1.1.2

Host OS information

No response

Host kernel information

No response

[kolyshkin]

What version of runc are you using?
1.0.2

This is an old version. Can you please retry with the latest released runc version, 1.1.5?

[jiusanzhou]

Sorry I gave a wrong version, it's actually 1.1.2
According to the latest code, I think this issue still exists.