ignition, machine: delegate cpu,io cgroup controllers to machine's de…

…fault users Makes sure that ignition setups up systemd config so cgroup controllers like `cpu, io` are also delegated to `non-root` along with `memory, pid`. This allows general users of `podman` on `macOS` and `podman-remote` to do operations which are dependent on `cpu, io` cgroup controllers. [NO TESTS NEEDED] [NO NEW TESTS NEEDED] We don't have a CI infra to test this, please pull the tree and run `podman info` inside the machine to confirm. Signed-off-by: Aditya R <[email protected]>
containers · Jan 28, 2022 · 6f2b027 · 6f2b027
1 parent 935ae1b
commit 6f2b027
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/pkg/machine/ignition.go b/pkg/machine/ignition.go
@@ -246,6 +246,10 @@ netns="bridge"
 `
 	rootContainers := `[engine]
 machine_enabled=true
+`
+
+	delegateConf := `[Service]
+Delegate=memory pids cpu io
 `
 
 	// Add a fake systemd service to get the user socket rolling
@@ -280,6 +284,24 @@ machine_enabled=true
 			Mode: intToPtr(0744),
 		},
 	})
+
+	// Set delegate.conf so cpu,io subsystem is delegated to non-root users as well for cgroupv2
+	// by default
+	files = append(files, File{
+		Node: Node{
+			Group: getNodeGrp("root"),
+			Path:  "/etc/systemd/system/[email protected]/delegate.conf",
+			User:  getNodeUsr("root"),
+		},
+		FileEmbedded1: FileEmbedded1{
+			Append: nil,
+			Contents: Resource{
+				Source: encodeDataURLPtr(delegateConf),
+			},
+			Mode: intToPtr(0644),
+		},
+	})
+
 	// Add a file into linger
 	files = append(files, File{
 		Node: Node{