cgroups: only allocate user namespace if we have to

If the monitor runs as root we can assume it's able to remove the cgroups it
created when the container started.

Fixes: https://github.com/lxc/lxd/issues/11108
Signed-off-by: Christian Brauner (Microsoft) <christian.brauner@ubuntu.com>

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 979deab199c770ba9439f6be47e55a1e6ab8b8f9..b868be93d5d480a4a5309338fd15b28fbcc91b1d 100644 (file)
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -560,7 +560,12 @@ __cgfsng_ops static void cgfsng_payload_destroy(struct cgroup_ops *ops,
        if (ret < 0)
                WARN("Failed to detach bpf program from cgroup");
 
-       if (!list_empty(&handler->conf->id_map)) {
+       /*
+        * Only do the user namespace dance if we have too. If the container's
+        * monitor is root we can assume that it is privileged enough to remove
+        * the cgroups it created when the container started.
+        */
+       if (!list_empty(&handler->conf->id_map) && !handler->am_root) {
                struct generic_userns_exec_data wrap = {
                        .conf                   = handler->conf,
                        .path_prune             = ops->container_limit_cgroup,