Merge pull request #13061 from flouthoc/podman-vm-delegate-subsystem

ignition, machine: delegate `cpu,io,memory,pid cgroup controllers` to machine's non-root users.
containers · Jan 28, 2022 · c2f4747 · c2f4747
2 parents 1b544b7 + 6f2b027
commit c2f4747
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/pkg/machine/ignition.go b/pkg/machine/ignition.go
@@ -246,6 +246,10 @@ netns="bridge"
 `
 	rootContainers := `[engine]
 machine_enabled=true
+`
+
+	delegateConf := `[Service]
+Delegate=memory pids cpu io
 `
 
 	// Add a fake systemd service to get the user socket rolling
@@ -280,6 +284,24 @@ machine_enabled=true
 			Mode: intToPtr(0744),
 		},
 	})
+
+	// Set delegate.conf so cpu,io subsystem is delegated to non-root users as well for cgroupv2
+	// by default
+	files = append(files, File{
+		Node: Node{
+			Group: getNodeGrp("root"),
+			Path:  "/etc/systemd/system/[email protected]/delegate.conf",
+			User:  getNodeUsr("root"),
+		},
+		FileEmbedded1: FileEmbedded1{
+			Append: nil,
+			Contents: Resource{
+				Source: encodeDataURLPtr(delegateConf),
+			},
+			Mode: intToPtr(0644),
+		},
+	})
+
 	// Add a file into linger
 	files = append(files, File{
 		Node: Node{