From 9979c275e81da1bdd908623a9bc1f39af47333c2 Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Mon, 14 Feb 2022 12:23:40 +0100
Subject: [PATCH] cmd/create: Use the host's cgroup namespace for the Toolbx
 container

Podman creates a private cgroup namespace for containers on cgroups v2
by default.  The host's cgroupfs is mounted at /sys/fs/cgroup giving an
inconsistent view of the cgroups.  Toolbx doesn't intend to provide a
segregated security domain.  So, there is no need for a cgroup namespace
and Toolbx containers can just use the host's namespace.

Having a private cgroup namespace for containers isn't currently causing
problems for any use-case, but it did come in handy when investigating
how to run a non-nested display server from within a Toolbx container on
a virtual terminal.  Since this requires a change to the 'podman create'
arguments, it's not going to have an effect on existing containers, and
re-creating containers is annoying for users.  So, it might be better to
get ahead of the curve and do it preemptively.

https://github.com/containers/toolbox/issues/992

Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
---
 src/cmd/create.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/cmd/create.go b/src/cmd/create.go
index 73d76a1..5e2e309 100644
--- a/src/cmd/create.go
+++ b/src/cmd/create.go
@@ -403,6 +403,7 @@ func createContainer(container, image, release string, showCommandToEnter bool)
 	createArgs := []string{
 		"--log-level", logLevelString,
 		"create",
+		"--cgroupns", "host",
 		"--dns", "none",
 		"--env", toolboxPathEnvArg,
 	}