Skip to content

Add CAP_CHOWN to Container Run capabilities to allow systemd containers when a RW cgroupfs in enabled #23748

@cgruver

Description

@cgruver

Is your enhancement related to a problem? Please describe

If the Pod annotation io.kubernetes.cri-o.cgroup2-mount-hierarchy-rw is set. Then a RW cgroupfs is created in the Pod containers.

In order to take advantage of the RW capabilities the Pod must either be run as root, or the cgroupfs needs to be chowned to the UID of the container.

Describe the solution you'd like

See -

https://github.com/cgruver/systemd-in-devspaces
https://issues.redhat.com/browse/CRW-10248

Describe alternatives you've considered

No response

Additional context

No response

Metadata

Metadata

Assignees

Labels

area/che-operatorIssues and PRs related to Eclipse Che Kubernetes Operatorkind/enhancementA feature request - must adhere to the feature request template.severity/P1Has a major impact to usage or development of the system.team/BThis team is responsible for the Web Terminal, the DevWorkspace Operator.

Type

No type

Projects

Status

No status

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions