From 2bedbfdb181a7a5285ab688d9756017ffc3e6bc6 Mon Sep 17 00:00:00 2001
From: Vova Kryachko <v.kryachko@gmail.com>
Date: Fri, 21 Mar 2025 16:19:38 +0000
Subject: [PATCH] fix(snix/build): Don't enable cgroup namespace in oci build.

While we want it long term, disabing it for now as it causes runc
startup failure when it runs inside nested cgroup namespaces.

Change-Id: I121f1d79c6a02e68e7883e0edeba7f57627c20ed
Reviewed-on: https://cl.snix.dev/c/snix/+/30236
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
---
 snix/build/src/oci/spec.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/snix/build/src/oci/spec.rs b/snix/build/src/oci/spec.rs
index b03f88ea4..650abd6d6 100644
--- a/snix/build/src/oci/spec.rs
+++ b/snix/build/src/oci/spec.rs
@@ -172,7 +172,10 @@ fn configure_linux(
             LinuxNamespaceType::Ipc,
             LinuxNamespaceType::Uts,
             LinuxNamespaceType::Mount,
-            LinuxNamespaceType::Cgroup,
+            // We want to create a cgroup namespace in the future to be able to trace resource usage
+            // For now it's disabled as it causes issues in cases where the host machine is running in a
+            // messed up cgroup
+            // LinuxNamespaceType::Cgroup,
         ];
         if !allow_network {
             namespace_types.push(LinuxNamespaceType::Network)