linuxgocgroups

GO: Permission denied when creating a cgroup with NewManager call

UPDATE: I can't reproduce the problem anymore. The below code works fine in both cases. (I am not sure if I should remove the question then.)

I use cgropus GO package v2, and I can't create a cgroup with some parameters set to non-default values. I run CentOS-9.

The following GO code works fine:

package main
import (
    "fmt"
    cgroupsv2 "github.com/containerd/cgroups/v2"
)
func main() {
    res := cgroupsv2.Resources{}
    //quota := int64(200000)
    //period  := uint64(1000000)
    //max := cgroupsv2.NewCPUMax(&quota, &period)
    //cpu := cgroupsv2.CPU{Max: max}
    //res = cgroupsv2.Resources{CPU: &cpu}
    cgroupManager, err := cgroupsv2.NewManager("/sys/fs/cgroup/", "/mytestgroup", &res)
    if err != nil {
        fmt.Printf("Error creating cgroup: %v\n", err)
        return
    } else {
        fmt.Println("The group created successfully")
    }
    cgroupManager.Delete()
}

$ go build -o test
$ sudo ./test
The group created successfully

However, if I uncomment commented-out lines, I get a permission error.

$ go build -o test
$ sudo ./test
Error creating cgroup: open /sys/fs/cgroup/mytestgroup/cpu.max: permission denied

Here is SELinux status, in case that matters

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

Thank you for your help.

Solution

  • I am using this code and it runs just fine

    package main
import (
        "fmt"
        cgroupsv2 "github.com/containerd/cgroups/v3/cgroup2" // Old lib is not resolved
)
func main() {
        res := cgroupsv2.Resources{}
        quota := int64(200000)
        period  := uint64(1000000)
        max := cgroupsv2.NewCPUMax(&quota, &period)
        cpu := cgroupsv2.CPU{Max: max}
        res = cgroupsv2.Resources{CPU: &cpu}
        cgroupManager, err := cgroupsv2.NewManager("/sys/fs/cgroup/", "/mytestgroup", &res)
        if err != nil {
                fmt.Printf("Error creating cgroup: %v\n", err)
                return
        } else {
                fmt.Println("The group created successfully")
        }
        cgroupManager.Delete()
}

    In the event that the code does not execute as expected, kindly verify if the /sys/fs/cgroup directory has the necessary read-write (rw) permissions. You can check the current mount options for the /sys/fs/cgroup filesystem by executing the following command:

    mount | grep /sys/fs/cgroup

    If the /sys/fs/cgroup filesystem is mounted as read-only, you can remount it with read-write permissions using the following command:

    sudo mount -o remount,rw /sys/fs/cgroup

    then try running your program again.