rootless: allow resource isolation with cgroup v2 #3104
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
approved
|
/cc @mheon @AkihiroSuda |
|
@giuseppe: GitHub didn't allow me to request PR reviews from the following users: AkihiroSuda. Note that only containers members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
cmd/podman/shared/create_cli.go
Outdated
| @@ -76,6 +77,17 @@ func addWarning(warnings []string, msg string) []string { | |||
|
|
|||
| func verifyContainerResources(config *cc.CreateConfig, update bool) ([]string, error) { | |||
| warnings := []string{} | |||
|
|
|||
| var st syscall.Statfs_t | |||
| if err := syscall.Statfs("/sys/fs/cgroup", &st); err == nil { | |||
There was a problem hiding this comment.
Can we either do this once and stick it in a bool we can read, or make a helper for the test?
There was a problem hiding this comment.
yes, good idea. Done in the new version
| const _CGROUP2_SUPER_MAGIC = 0x63677270 | ||
|
|
||
| // IsCgroup2UnifiedMode returns whether we are running in cgroup 2 unified mode. | ||
| func IsCgroup2UnifiedMode() (bool, error) { |
There was a problem hiding this comment.
Can you put this into buildah rather then into Podman so both tools can share the check?
There was a problem hiding this comment.
we are not currently doing any the same check in Buildah as we do for Podman when resources are specified.
|
correction: it works fine on Fedora 30 with the systemd version available there. |
We were always raising an error when the rootless user attempted to setup resources, but this is not the case anymore with cgroup v2. Signed-off-by: Giuseppe Scrivano <[email protected]>
skip resources validation when cgroup v2 is detected, as we don't support it yet. Signed-off-by: Giuseppe Scrivano <[email protected]>
Signed-off-by: Giuseppe Scrivano <[email protected]>
|
tests are finally passing |
|
Question: does this break |
the only difference for rootless Podman with runc will be that if an user specifies any resource, Podman won't error out immediately but it will let the runtime handle it. I've not tried it but I'd expect it to fail on cgroup v2 also when resources are not specified |
|
the change for conmon got merged, fine to merge this? |
|
LGTM |
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
this is not adding any support for cgroup v2. It is only used to avoid some early errors when attempting to use cgroup v2 for rootless users.
Depends on:
with the updated versions of conmon and crun, on a Fedora 30 configured with cgroup v2 unified mode, I can: