Skip to content

Rootless podman cannot configure Cgroup limits via cgroupfs  #21575

Closed
Closed
Rootless podman cannot configure Cgroup limits via cgroupfs #21575
Labels
kind/bugCategorizes issue or PR as related to a bug.
@adippl

Description

@adippl
adippl
opened on Feb 8, 2024

Issue Description

Rootless podman on on gentoo cannot set cgroupv2 limits via cgroupfs.
Everything works fine when podman containers are started by root.

Steps to reproduce the issue

Steps to reproduce the issue

  1. Configure working rootless podman with cgroupsV2 and without systemd
  2. launch container with --memory= or --cpuset-cpus=
  3. podman inspect to check if podman accepted settings
  4. ls /sys/fs/cgroup/libpod_parent to check if podman created a directory for container

Describe the results you received

Container directories are not created in /sys/fs/cgroup/libpod_parent
Configured limits are visible in podman inspect but have no effect

Describe the results you expected

Rootless podman should set cgroup limits with cgroupfs driver or at least issue warning to the users that it's not supported.

podman info output

host:
  arch: amd64
  buildahVersion: 1.33.5
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: app-containers/conmon-2.1.8
    path: /usr/libexec/podman/conmon
    version: 'conmon version 2.1.8, commit: 00e08f4a9ca5420de733bf542b930ad58e1a7e7d'
  cpuUtilization:
    idlePercent: 97.63
    systemPercent: 0.69
    userPercent: 1.68
  cpus: 32
  databaseBackend: sqlite
  distribution:
    distribution: gentoo
    version: "2.14"
  eventLogger: file
  freeLocks: 2048
  hostname: REMOVED
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.6.13-gentoo-dist
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 34352328704
  memTotal: 66971533312
  networkBackend: cni
  networkBackendInfo:
    backend: cni
    dns: {}
    package: app-containers/cni-plugins-1.2.0
    path: /opt/cni/bin
  ociRuntime:
    name: crun
    package: app-containers/crun-1.8.4
    path: /usr/bin/crun
    version: |-
      crun version 1.8.4
      commit: 5a8fa99a5e41facba2eda4af12fa26313918805b
      rundir: /run/user/0/crun
      spec: 1.0.0
      +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: app-containers/slirp4netns-1.2.0
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 68719472640
  swapTotal: 68719472640
  uptime: 7h 7m 36.00s (Approximately 0.29 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  docker.io:
    Blocked: false
    Insecure: false
    Location: docker.io
    MirrorByDigestOnly: false
  localhost:5000:
    Blocked: false
    Insecure: true
    Location: localhost:5000
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: localhost:5000
    PullFromMirror: ""
  quay.io:
    Blocked: false
    Insecure: false
    Location: quay.io
    MirrorByDigestOnly: false
    Prefix: quay.io
    PullFromMirror: ""
  search:
  - docker.io
  - quay.io
  - registry.fedoraproject.org
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: btrfs
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 118410444800
  graphRootUsed: 88523591680
  graphStatus:
    Build Version: Btrfs v6.6.3
    Library Version: "102"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /var/lib/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.9.2
  Built: 1707433496
  BuiltTime: Fri Feb  9 00:04:56 2024
  GitCommit: ""
  GoVersion: go1.21.5
  Os: linux
  OsArch: linux/amd64
  Version: 4.9.2

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

My podman is running on bare metal on a gentoo system without systemd.

Additional information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions