Merge pull request #8134 from xordspar0/cpu.max-permission

[CI:DOCS] Document how to enable CPU limit delegation
containers · Oct 27, 2020 · 434de06 · 434de06
2 parents eda5a6d + f393d32
commit 434de06
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 2 deletions.
diff --git a/docs/source/markdown/podman-build.1.md b/docs/source/markdown/podman-build.1.md
@@ -115,6 +115,10 @@ Limit the CPU CFS (Completely Fair Scheduler) period
 
 Limit the container's CPU usage. This flag tell the kernel to restrict the container's CPU usage to the period you specify.
 
+On some systems, changing the CPU limits may not be allowed for non-root
+users. For more details, see
+https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error
+
 **--cpu-quota**=*limit*
 
 Limit the CPU CFS (Completely Fair Scheduler) quota
@@ -123,6 +127,10 @@ Limit the container's CPU usage. By default, containers run with the full
 CPU resource. This flag tell the kernel to restrict the container's CPU usage
 to the quota you specify.
 
+On some systems, changing the CPU limits may not be allowed for non-root
+users. For more details, see
+https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error
+
 **--cpu-shares**, **-c**=*shares*
 
 CPU shares (relative weight)
@@ -787,9 +795,9 @@ registries.conf is the configuration file which specifies which container regist
 
 ## Troubleshooting
 
-If you are using a useradd command within a Containerfile with a large UID/GID, it will create a large sparse file `/var/log/lastlog`.  This can cause the build to hang forever.  Go language does not support sparse files correctly, which can lead to some huge files being created in your container image.
+### lastlog sparse file
 
-### Solution
+If you are using a useradd command within a Containerfile with a large UID/GID, it will create a large sparse file `/var/log/lastlog`.  This can cause the build to hang forever.  Go language does not support sparse files correctly, which can lead to some huge files being created in your container image.
 
 If you are using `useradd` within your build script, you should pass the `--no-log-init or -l` option to the `useradd` command.  This option tells useradd to stop creating the lastlog file.
 

diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
@@ -107,6 +107,10 @@ Limit the CPU CFS (Completely Fair Scheduler) period
 
 Limit the container's CPU usage. This flag tell the kernel to restrict the container's CPU usage to the period you specify.
 
+On some systems, changing the CPU limits may not be allowed for non-root
+users. For more details, see
+https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error
+
 **--cpu-quota**=*limit*
 
 Limit the CPU CFS (Completely Fair Scheduler) quota
@@ -115,6 +119,10 @@ Limit the container's CPU usage. By default, containers run with the full
 CPU resource. This flag tell the kernel to restrict the container's CPU usage
 to the quota you specify.
 
+On some systems, changing the CPU limits may not be allowed for non-root
+users. For more details, see
+https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error
+
 **--cpu-rt-period**=*microseconds*
 
 Limit the CPU real-time period in microseconds
@@ -171,6 +179,10 @@ PID    container	CPU	CPU share
 
 Number of CPUs. The default is *0.0* which means no limit.
 
+On some systems, changing the CPU limits may not be allowed for non-root
+users. For more details, see
+https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error
+
 **--cpuset-cpus**=*cpus*
 
 CPUs in which to allow execution (0-3, 0,1)

diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
@@ -120,6 +120,10 @@ Write the pid of the **conmon** process to a file. As **conmon** runs in a separ
 
 Limit the container's CPU usage by setting CPU CFS (Completely Fair Scheduler) period.
 
+On some systems, changing the CPU limits may not be allowed for non-root
+users. For more details, see
+https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error
+
 **--cpu-quota**=*limit*
 
 Limit the CPU CFS (Completely Fair Scheduler) quota.
@@ -128,6 +132,10 @@ Limit the container's CPU usage. By default, containers run with the full
 CPU resource. This flag tell the kernel to restrict the container's CPU usage
 to the quota you specify.
 
+On some systems, changing the CPU limits may not be allowed for non-root
+users. For more details, see
+https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error
+
 **--cpu-rt-period**=*microseconds*
 
 Limit the CPU real-time period in microseconds.
@@ -182,6 +190,10 @@ division of CPU shares:
 
 Number of CPUs. The default is *0.0* which means no limit.
 
+On some systems, changing the CPU limits may not be allowed for non-root
+users. For more details, see
+https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error
+
 **--cpuset-cpus**=*number*
 
 CPUs in which to allow execution. Can be specified as a comma-separated list

diff --git a/troubleshooting.md b/troubleshooting.md
@@ -644,3 +644,39 @@ $ podman run --read-only --rootfs /path/to/rootfs ....
 
 Another option would be to create an overlay file system on the directory as a lower and then
 then allow podman to create the files on the upper.
+
+### 26) Running containers with CPU limits fails with a permissions error
+
+On some systemd-based systems, non-root users do not have CPU limit delegation
+permissions. This causes setting CPU limits to fail.
+
+#### Symptom
+
+Running a container with a CPU limit options such as `--cpus`, `--cpu-period`,
+or `--cpu-quota` will fail with an error similar to the following:
+
+    Error: opening file `cpu.max` for writing: Permission denied: OCI runtime permission denied error
+
+This means that CPU limit delegation is not enabled for the current user.
+
+#### Solution
+
+You can verify whether CPU limit delegation is enabled by running the following command:
+
+    cat "/sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.controllers"
+
+Example output might be:
+
+    memory pids
+
+In the above example, `cpu` is not listed, which means the curent user does
+not have permission to set CPU limits.
+
+If you want to enable CPU limit delegation for all users, you can create the
+file `/etc/systemd/system/[email protected]/delegate.conf` with the contents:
+
+    [Service]
+    Delegate=memory pids cpu io
+
+After logging out and loggin back in, you should have permission to set CPU
+limits.