rootless: automatically create a systemd scope #3959
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
approved
libpod/oci_internal_linux.go
Outdated
| @@ -367,7 +367,7 @@ func (r *OCIRuntime) moveConmonToCgroupAndSignal(ctr *Container, cmd *exec.Cmd, | |||
|
|
|||
| logrus.Infof("Running conmon under slice %s and unitName %s", realCgroupParent, unitName) | |||
| if err := utils.RunUnderSystemdScope(cmd.Process.Pid, realCgroupParent, unitName); err != nil { | |||
| logrus.Warnf("Failed to add conmon to systemd sandbox cgroup: %v", err) | |||
| logrus.Warningf("Failed to add conmon to systemd sandbox cgroup: %v", err) | |||
There was a problem hiding this comment.
Thanks for spotting it :) got confused. Dropped the patch
cmd/podman/main_local.go
Outdated
| return err | ||
| } | ||
| unitName := fmt.Sprintf("podman-%d.scope", os.Getpid()) | ||
| if err := utils.RunUnderSystemdScope(os.Getpid(), "user.slice", unitName); err != nil { |
There was a problem hiding this comment.
Should this be unconditional? I feel like we only want it with systemd CGroups.
There was a problem hiding this comment.
we also want this when using cgroupfs. It solves the problem of running systemd containers on cgroups v1 with: systemd-run --scope --user podman ...
If it fails though, we just print a debug message
giuseppe
force-pushed
the
rootless-use-systemd-scope
branch
from
1021a9f to
cb89afa
Compare
|
LGTM |
|
@msekletar PTAL |
giuseppe
force-pushed
the
rootless-use-systemd-scope
branch
from
cb89afa to
460628a
Compare
giuseppe
force-pushed
the
rootless-use-systemd-scope
branch
3 times, most recently
from
7ea517a to
8a55f3d
Compare
|
LGTM assuming happy tests |
|
tests are finally passing |
|
I don't like increasing our dependency on systemd; I'd like to still be able to run in environments where it's not available. Still, this doesn't seem harmful... LGTM |
giuseppe
force-pushed
the
rootless-use-systemd-scope
branch
2 times, most recently
from
36f9ca5 to
a224050
Compare
|
I've addressed the comments and pushed a new version.
I agree, Podman should work fine without systemd. If it fails to create the scope we only give a warning (if the cgroups manager is |
|
☔ The latest upstream changes (presumably #3581) made this pull request unmergeable. Please resolve the merge conflicts. |
|
@giuseppe needs a rebase. |
giuseppe
force-pushed
the
rootless-use-systemd-scope
branch
from
a224050 to
61ab001
Compare
when running as rootless, use the user session bus. It is already implemented in the pkg/cgroups so just re-use it. Signed-off-by: Giuseppe Scrivano <[email protected]>
when running in rootless mode and using systemd as cgroup manager create automatically a systemd scope when the user doesn't own the current cgroup. This solves a couple of issues: on cgroup v2 it is necessary that a process before it can moved to a different cgroup tree must be in a directory owned by the unprivileged user. This is not always true, e.g. when creating a session with su -l. Closes: containers#3937 Also, for running systemd in a container it was before necessary to specify "systemd-run --scope --user podman ...", now this is done automatically as part of this PR. Signed-off-by: Giuseppe Scrivano <[email protected]>
Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
force-pushed
the
rootless-use-systemd-scope
branch
from
61ab001 to
7e88bf7
Compare
|
rebased and tests are green |
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
when running in rootless mode and using systemd as cgroup manager create automatically a systemd scope.
This solves a couple of issues:
on cgroup v2 it is necessary that a process before it can moved to a different cgroup tree must be in a directory owned by the unprivileged user. This is not always true, e.g. when creating a session with su -l.
Closes: #3937
Also, for running systemd in a container it was before necessary to specify "systemd-run --scope --user podman ...", now this is done automatically as part of this PR.
Signed-off-by: Giuseppe Scrivano [email protected]