Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resource limits are not supported and ignored on cgroups V1 rootless systems #17582

Closed
cevich opened this issue Feb 20, 2023 · 3 comments
Closed

Resource limits are not supported and ignored on cgroups V1 rootless systems #17582

cevich opened this issue Feb 20, 2023 · 3 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@cevich
Copy link
Member

cevich commented Feb 20, 2023
edited
Loading

Issue Description

While running the rootless podman system tests on Debian SID w/ CGv1, the podman kube --network test emits this nasty warning message.

Note: The podman command run by the test is functional, this issue is simply about this warning message being emitted unexpectedly. In other words, nothing on the command line or config. has specified any disallowed "Resource limits", therefore the user should not be receiving a warning about them.

Steps to reproduce the issue

Steps to reproduce the issue

  1. On a Debian SID system
  2. Setup for CGroups V1
  3. Execute system tests as a regular user

Describe the results you received

         # $ podman kube play --network slirp4netns:port_handler=slirp4netns /tmp/podman_bats.rqpa5E/test.yaml
         # Resource limits are not supported and ignored on cgroups V1 rootless systems
         # Pod:
         # a505589cc2b96dcf0a7b3c4c00bdbd01b948774cd7bd8262a996cae8aa7505de
         # Container:
         # 0fe48f8080f5de2733c262a6ac8a9d6689d20b3257f380d297f96a1bde1a3351

Describe the results you expected

         # $ podman kube play --network slirp4netns:port_handler=slirp4netns /tmp/podman_bats.rqpa5E/test.yaml
         # Pod:
         # a505589cc2b96dcf0a7b3c4c00bdbd01b948774cd7bd8262a996cae8aa7505de
         # Container:
         # 0fe48f8080f5de2733c262a6ac8a9d6689d20b3257f380d297f96a1bde1a3351

podman info output

host:
  arch: amd64
  buildahVersion: 1.30.0-dev
  cgroupControllers:
  - cpuset
  - cpu
  - cpuacct
  - blkio
  - memory
  - devices
  - freezer
  - net_cls
  - perf_event
  - net_prio
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v1
  conmon:
    package: conmon_2.1.6+ds1-1_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.6, commit: unknown'
  cpuUtilization:
    idlePercent: 60.02
    systemPercent: 13.36
    userPercent: 26.62
  cpus: 2
  distribution:
    codename: bookworm
    distribution: debian
    version: "12.03"
  eventLogger: journald
  hostname: cirrus-task-5308517670715392
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.1.0-4-cloud-amd64
  linkmode: dynamic
  logDriver: journald
  memFree: 3143659520
  memTotal: 4116930560
  networkBackend: netavark
  ociRuntime:
    name: runc
    package: runc_1.1.4+ds1-1+b2_amd64
    path: /usr/bin/runc
    version: |-
      runc version 1.1.4+ds1
      commit: 1.1.4+ds1-1+b2
      spec: 1.0.2-dev
      go: go1.19.5
      libseccomp: 2.5.4
  os: linux
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: true
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.0-1_amd64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 0
  swapTotal: 0
  uptime: 0h 26m 57.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  docker.io:
    Blocked: false
    Insecure: false
    Location: mirror.gcr.io
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: docker.io
    PullFromMirror: ""
  docker.io/library:
    Blocked: false
    Insecure: false
    Location: quay.io/libpod
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: docker.io/library
    PullFromMirror: ""
  localhost:5000:
    Blocked: false
    Insecure: true
    Location: localhost:5000
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: localhost:5000
    PullFromMirror: ""
  search:
  - docker.io
  - quay.io
  - registry.fedoraproject.org
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 211116445696
  graphRootUsed: 4850208768
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.5.0-dev
  Built: 1676653531
  BuiltTime: Fri Feb 17 17:05:31 2023
  GitCommit: c0806ab41cb4b36c591321b53f6514a75e47ab20
  GoVersion: go1.19.5
  Os: linux
  OsArch: linux/amd64
  Version: 4.5.0-dev

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Debian GNU/Linux bookworm/sid \n \l

Kernel: 6.1.0-4-cloud-amd64
Cgroups: tmpfs
dpkg-query: no packages found matching containers-common
dpkg-query: no packages found matching cri-o-runc
conmon-2.1.6+ds1-1-amd64
containernetworking-plugins-1.1.1+ds1-3+b2-amd64
criu-3.17.1-2-amd64
crun-1.8-1-amd64
golang-2:1.19~1-amd64
libseccomp2-2.5.4-1+b3-amd64
podman-4.3.1+ds1-5+b2-amd64
runc-1.1.4+ds1-1+b2-amd64
skopeo-1.9.3+ds1-1+b1-amd64
slirp4netns-1.2.0-1-amd64

Additional information

Example annotated log
@cevich cevich added the kind/bug Categorizes issue or PR as related to a bug. label Feb 20, 2023
@cevich cevich mentioned this issue Feb 20, 2023
Merged
@giuseppe
Copy link
Member

that is expected, rootless users cannot set resource limits on cgroup v1.

cgroupv1 is dead, let's skip anything that doesn't work there. I'd personally not care about cgroupv1 at all since it doesn't help with RHEL anyway.

@cevich
Copy link
Member Author

cevich commented Feb 21, 2023

that is expected, rootless users cannot set resource limits on cgroup v1.

I get that, totally cool. The issue (for me) is that no resource-limits were specified by the test. Yet the user gets this warning message anyway. Near as I could tell, the test seems to work fine, except for getting hung-up on seeing this warning.

it doesn't help with RHEL anyway.

I think that's true, these newer versions of podman will never get released on the RHEL versions where CGv1/runc is still in use.

The test is marked for skipping w/ ref: this issue. Should we just close this issue as a WONTFIX/CANTFIX then?

@giuseppe
Copy link
Member

I think we still try to apply the default limit for pids. Yes, let's close it, and not worry about cgroupv1

cevich added a commit to cevich/podman that referenced this issue Feb 22, 2023
@cevich
Skip 'podman kube --network' test for rootless CGv1
dd51b62 
Test emits nasty warning message:
`Resource limits are not supported and ignored on cgroups V1 rootless
systems`

Ref: issue containers#17582

Signed-off-by: Chris Evich <[email protected]>
@sstosh sstosh mentioned this issue Apr 5, 2023
Merged
sstosh added a commit to sstosh/podman that referenced this issue Apr 11, 2023
@sstosh
Do not display the resource limits warning message
4f5f89c 
If resource limits is not set, do not display the following warning message:
`Resource limits are not supported and ignored on cgroups V1 rootless systems`

Ref: containers#17582

Signed-off-by: Toshiki Sonoda <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Aug 31, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 31, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@giuseppe @cevich