dbuild: avoid --pids-limit with podman and cgroupsv1

Podman doesn't correctly support --pids-limit with cgroupsv1. Some versions ignore it, and some versions reject the option. To avoid the error, don't supply --pids-limit if cgroupsv2 is not available (detected by its presence in /proc/filesystems). The user is required to configure the pids limit in /etc/containers/containers.conf. Fixes scylladb#7938.
avikivity · Jan 20, 2021 · 94b53f9 · 94b53f9
1 parent 7eb8c71
commit 94b53f9
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/tools/toolchain/dbuild b/tools/toolchain/dbuild
@@ -146,12 +146,22 @@ if [ -z "$is_podman" ]; then
        "${group_args[@]}"
        -v /etc/passwd:/etc/passwd:ro
        -v /etc/group:/etc/group:ro
+       --pids-limit -1
        )
 else
     TMP_PASSWD=$(mktemp --tmpdir passwd.XXXXXX)
     FULLNAME=$(getent passwd $USER | cut -d ':' -f 5)
     echo "$USER:x:0:0:$FULLNAME:$HOME:/bin/bash" > "$TMP_PASSWD"
     docker_common_args+=(-v "$TMP_PASSWD:/etc/passwd:ro")
+    # --pids-limit is not supported on podman with cgroupsv1
+    if grep -q cgroup2 /proc/filesystems; then
+        docker_common_args+=(--pids-limit -1)
+    fi
+    # if --pids-limit is not supported, add
+    #    [containers]
+    #    pids_limit = 0
+    #
+    # to /etc/containers/containers.conf
 fi
 
 if [ "$PWD" != "$toplevel" ]; then
@@ -165,7 +175,6 @@ tmpdir=$(mktemp -d)
 
 docker_common_args+=(
        --security-opt seccomp=unconfined \
-       --pids-limit -1 \
        --network host \
        --cap-add SYS_PTRACE \
        -v "$PWD:$PWD:z" \