ci: ensure the cgroup parent always exists for rootless

On some systems (e.g., AlmaLinux 8), systemd automatically removes cgroup paths
when they become empty (i.e., contain no processes). To prevent this, we spawn
a dummy process to pin the cgroup in place.
Fix: #5003

Signed-off-by: lifubang <[email protected]>

Author: lifubang

tests/rootless.sh

@@ -97,11 +97,20 @@ function cleanup() {
 ALL_CGROUPS=($(cut -d: -f2 </proc/self/cgroup | sed -E '{s/^name=//;s/,/\n/;/^$/D}'))
 CGROUP_MOUNT="/sys/fs/cgroup"
 CGROUP_PATH="/runc-cgroups-integration-test"
+CGROUP_PIN_PID=-1
 
 function enable_cgroup() {
+	# On some systems (e.g., AlmaLinux 8), systemd automatically removes cgroup paths
+	# when they become empty (i.e., contain no processes). To prevent this, we spawn
+	# a dummy process to pin the cgroup in place.
+	# See: https://github.com/opencontainers/runc/issues/5003
+	sleep inf &
+	CGROUP_PIN_PID=$!
 	# Set up cgroups for use in rootless containers.
 	for cg in "${ALL_CGROUPS[@]}"; do
 		mkdir -p "$CGROUP_MOUNT/$cg$CGROUP_PATH"
+		# TODO: Consider retrying on "No space left on device" errors.
+		echo "$CGROUP_PIN_PID" >"$CGROUP_MOUNT/$cg$CGROUP_PATH/cgroup.procs" || true
 		# We only need to allow write access to {cgroup.procs,tasks} and the
 		# directory. Rather than changing the owner entirely, we just change
 		# the group and then allow write access to the group (in order to
@@ -141,6 +150,11 @@ function enable_cgroup() {
 }
 
 function disable_cgroup() {
+	if [ $CGROUP_PIN_PID -ne -1 ]; then
+		kill -9 "$CGROUP_PIN_PID" || true
+		wait "$CGROUP_PIN_PID" 2>/dev/null || true
+		CGROUP_PIN_PID=-1
+	fi
 	# Remove cgroups used in rootless containers.
 	for cg in "${ALL_CGROUPS[@]}"; do
 		[ -d "$CGROUP_MOUNT/$cg$CGROUP_PATH" ] && rmdir "$CGROUP_MOUNT/$cg$CGROUP_PATH"