diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2022-01-17 12:57:20 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-17 12:57:20 +0100 |
commit | 8514ebd1827b12bae8b5d53d8f0e36244d1b3c3a (patch) | |
tree | d8ccbe18806a8d03ac1d89754d4f009103803c5e | |
parent | 26cf6c82c82cbf45afe5998e4a881b9f52202a01 (diff) | |
parent | 607cb80bf77642c02b80bff56aa4c3e396a91fa0 (diff) | |
download | podman-8514ebd1827b12bae8b5d53d8f0e36244d1b3c3a.tar.gz podman-8514ebd1827b12bae8b5d53d8f0e36244d1b3c3a.tar.bz2 podman-8514ebd1827b12bae8b5d53d8f0e36244d1b3c3a.zip |
Merge pull request #12860 from rhatdan/cgroups
Use CONTAINERS_CONF cgroups flag for remote API.
42 files changed, 142 insertions, 97 deletions
diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go index e95e447e1..3ce4e6731 100644 --- a/cmd/podman/common/create.go +++ b/cmd/podman/common/create.go @@ -97,7 +97,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions, cgroupsFlagName := "cgroups" createFlags.StringVar( - &cf.CGroupsMode, + &cf.CgroupsMode, cgroupsFlagName, cgroupConfig(), `control container cgroup configuration ("enabled"|"disabled"|"no-conmon"|"split")`, ) @@ -159,7 +159,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions, deviceCgroupRuleFlagName := "device-cgroup-rule" createFlags.StringSliceVar( - &cf.DeviceCGroupRule, + &cf.DeviceCgroupRule, deviceCgroupRuleFlagName, []string{}, "Add a rule to the cgroup allowed devices list", ) @@ -762,7 +762,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions, cgroupParentFlagName := "cgroup-parent" createFlags.StringVar( - &cf.CGroupParent, + &cf.CgroupParent, cgroupParentFlagName, "", "Optional parent cgroup for the container", ) diff --git a/cmd/podman/common/create_opts.go b/cmd/podman/common/create_opts.go index b4641ea96..eb0d07836 100644 --- a/cmd/podman/common/create_opts.go +++ b/cmd/podman/common/create_opts.go @@ -246,7 +246,7 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig, rtc *c Authfile: "", CapAdd: append(capAdd, cc.HostConfig.CapAdd...), CapDrop: append(cappDrop, cc.HostConfig.CapDrop...), - CGroupParent: cc.HostConfig.CgroupParent, + CgroupParent: cc.HostConfig.CgroupParent, CIDFile: cc.HostConfig.ContainerIDFile, CPUPeriod: uint64(cc.HostConfig.CPUPeriod), CPUQuota: cc.HostConfig.CPUQuota, @@ -259,7 +259,7 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig, rtc *c // Detach: false, // don't need // DetachKeys: "", // don't need Devices: devices, - DeviceCGroupRule: nil, + DeviceCgroupRule: nil, DeviceReadBPs: readBps, DeviceReadIOPs: readIops, DeviceWriteBPs: writeBps, diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go index 694b97fe5..db78c96ee 100644 --- a/cmd/podman/containers/create.go +++ b/cmd/podman/containers/create.go @@ -257,8 +257,8 @@ func CreateInit(c *cobra.Command, vals entities.ContainerCreateOptions, isInfra } vals.Env = env } - if c.Flag("cgroups").Changed && vals.CGroupsMode == "split" && registry.IsRemote() { - return vals, errors.Errorf("the option --cgroups=%q is not supported in remote mode", vals.CGroupsMode) + if c.Flag("cgroups").Changed && vals.CgroupsMode == "split" && registry.IsRemote() { + return vals, errors.Errorf("the option --cgroups=%q is not supported in remote mode", vals.CgroupsMode) } if c.Flag("pod").Changed && !strings.HasPrefix(c.Flag("pod").Value.String(), "new:") && c.Flag("userns").Changed { diff --git a/libpod/boltdb_state.go b/libpod/boltdb_state.go index ceeb5119d..68e35f79f 100644 --- a/libpod/boltdb_state.go +++ b/libpod/boltdb_state.go @@ -215,7 +215,7 @@ func (s *BoltState) Refresh() error { return errors.Wrapf(err, "error unmarshalling state for pod %s", string(id)) } - // Clear the CGroup path + // Clear the Cgroup path state.CgroupPath = "" newStateBytes, err := json.Marshal(state) diff --git a/libpod/container.go b/libpod/container.go index 1dd2ef5f7..51a3ffd3d 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -23,7 +23,7 @@ import ( "github.com/sirupsen/logrus" ) -// CgroupfsDefaultCgroupParent is the cgroup parent for CGroupFS in libpod +// CgroupfsDefaultCgroupParent is the cgroup parent for CgroupFS in libpod const CgroupfsDefaultCgroupParent = "/libpod_parent" // SystemdDefaultCgroupParent is the cgroup parent for the systemd cgroup @@ -56,7 +56,7 @@ const ( UserNS LinuxNS = iota // UTSNS is the UTS namespace UTSNS LinuxNS = iota - // CgroupNS is the CGroup namespace + // CgroupNS is the Cgroup namespace CgroupNS LinuxNS = iota ) @@ -575,7 +575,7 @@ func (c *Container) CreatedTime() time.Time { return c.config.CreatedTime } -// CgroupParent gets the container's CGroup parent +// CgroupParent gets the container's Cgroup parent func (c *Container) CgroupParent() string { return c.config.CgroupParent } @@ -907,10 +907,10 @@ func (c *Container) CgroupManager() string { return cgroupManager } -// CGroupPath returns a cgroups "path" for the given container. +// CgroupPath returns a cgroups "path" for the given container. // Note that the container must be running. Otherwise, an error // is returned. -func (c *Container) CGroupPath() (string, error) { +func (c *Container) CgroupPath() (string, error) { if !c.batched { c.lock.Lock() defer c.lock.Unlock() diff --git a/libpod/container_config.go b/libpod/container_config.go index 102d74236..725e27c2a 100644 --- a/libpod/container_config.go +++ b/libpod/container_config.go @@ -334,7 +334,7 @@ type ContainerMiscConfig struct { // CgroupManager is the cgroup manager used to create this container. // If empty, the runtime default will be used. CgroupManager string `json:"cgroupManager,omitempty"` - // NoCgroups indicates that the container will not create CGroups. It is + // NoCgroups indicates that the container will not create Cgroups. It is // incompatible with CgroupParent. Deprecated in favor of CgroupsMode. NoCgroups bool `json:"noCgroups,omitempty"` // CgroupsMode indicates how the container will create cgroups diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go index 792dfc58e..615a7522b 100644 --- a/libpod/container_inspect.go +++ b/libpod/container_inspect.go @@ -730,7 +730,7 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named } hostConfig.CgroupMode = cgroupMode - // CGroup parent + // Cgroup parent // Need to check if it's the default, and not print if so. defaultCgroupParent := "" switch c.CgroupManager() { diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 12d6d5a18..d0c8ccc4c 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -1092,7 +1092,7 @@ func (c *Container) init(ctx context.Context, retainRetries bool) error { // upstream in any OCI runtime. // TODO: Remove once runc supports cgroupsv2 if strings.Contains(err.Error(), "this version of runc doesn't work on cgroups v2") { - logrus.Errorf("Oci runtime %q does not support CGroups V2: use system migrate to mitigate", c.ociRuntime.Name()) + logrus.Errorf("Oci runtime %q does not support Cgroups V2: use system migrate to mitigate", c.ociRuntime.Name()) } return err } @@ -1291,8 +1291,8 @@ func (c *Container) stop(timeout uint) error { // a pid namespace then the OCI Runtime needs to kill ALL processes in // the containers cgroup in order to make sure the container is stopped. all := !c.hasNamespace(spec.PIDNamespace) - // We can't use --all if CGroups aren't present. - // Rootless containers with CGroups v1 and NoCgroups are both cases + // We can't use --all if Cgroups aren't present. + // Rootless containers with Cgroups v1 and NoCgroups are both cases // where this can happen. if all { if c.config.NoCgroups { @@ -1400,7 +1400,7 @@ func (c *Container) stop(timeout uint) error { // Internal, non-locking function to pause a container func (c *Container) pause() error { if c.config.NoCgroups { - return errors.Wrapf(define.ErrNoCgroups, "cannot pause without using CGroups") + return errors.Wrapf(define.ErrNoCgroups, "cannot pause without using Cgroups") } if rootless.IsRootless() { @@ -1428,7 +1428,7 @@ func (c *Container) pause() error { // Internal, non-locking function to unpause a container func (c *Container) unpause() error { if c.config.NoCgroups { - return errors.Wrapf(define.ErrNoCgroups, "cannot unpause without using CGroups") + return errors.Wrapf(define.ErrNoCgroups, "cannot unpause without using Cgroups") } if err := c.ociRuntime.UnpauseContainer(c); err != nil { diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 508a8a8cf..0f89daab0 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -2772,7 +2772,7 @@ func (c *Container) getOCICgroupPath() (string, error) { // expects cgroups to be passed as follows: // slice:prefix:name systemdCgroups := fmt.Sprintf("%s:libpod:%s", path.Base(c.config.CgroupParent), c.ID()) - logrus.Debugf("Setting CGroups for container %s to %s", c.ID(), systemdCgroups) + logrus.Debugf("Setting Cgroups for container %s to %s", c.ID(), systemdCgroups) return systemdCgroups, nil case (rootless.IsRootless() && (cgroupManager == config.CgroupfsCgroupsManager || !unified)): if c.config.CgroupParent == "" || !isRootlessCgroupSet(c.config.CgroupParent) { @@ -2781,7 +2781,7 @@ func (c *Container) getOCICgroupPath() (string, error) { fallthrough case cgroupManager == config.CgroupfsCgroupsManager: cgroupPath := filepath.Join(c.config.CgroupParent, fmt.Sprintf("libpod-%s", c.ID())) - logrus.Debugf("Setting CGroup path for container %s to %s", c.ID(), cgroupPath) + logrus.Debugf("Setting Cgroup path for container %s to %s", c.ID(), cgroupPath) return cgroupPath, nil default: return "", errors.Wrapf(define.ErrInvalidArg, "invalid cgroup manager %s requested", cgroupManager) diff --git a/libpod/container_validate.go b/libpod/container_validate.go index ca5ce8b2a..492225401 100644 --- a/libpod/container_validate.go +++ b/libpod/container_validate.go @@ -57,13 +57,13 @@ func (c *Container) validate() error { if ns.Type == spec.PIDNamespace { foundPid = true if ns.Path != "" { - return errors.Wrapf(define.ErrInvalidArg, "containers not creating CGroups must create a private PID namespace - cannot use another") + return errors.Wrapf(define.ErrInvalidArg, "containers not creating Cgroups must create a private PID namespace - cannot use another") } break } } if !foundPid { - return errors.Wrapf(define.ErrInvalidArg, "containers not creating CGroups must create a private PID namespace") + return errors.Wrapf(define.ErrInvalidArg, "containers not creating Cgroups must create a private PID namespace") } } diff --git a/libpod/define/container_inspect.go b/libpod/define/container_inspect.go index ba73e4196..6db1b025e 100644 --- a/libpod/define/container_inspect.go +++ b/libpod/define/container_inspect.go @@ -345,9 +345,9 @@ type InspectContainerHostConfig struct { // populated. // TODO. Cgroup string `json:"Cgroup"` - // Cgroups contains the container's CGroup mode. - // Allowed values are "default" (container is creating CGroups) and - // "disabled" (container is not creating CGroups). + // Cgroups contains the container's Cgroup mode. + // Allowed values are "default" (container is creating Cgroups) and + // "disabled" (container is not creating Cgroups). // This is Libpod-specific and not included in `docker inspect`. Cgroups string `json:"Cgroups"` // Links is unused, and provided purely for Docker compatibility. @@ -417,7 +417,7 @@ type InspectContainerHostConfig struct { Isolation string `json:"Isolation"` // CpuShares indicates the CPU resources allocated to the container. // It is a relative weight in the scheduler for assigning CPU time - // versus other CGroups. + // versus other Cgroups. CpuShares uint64 `json:"CpuShares"` // Memory indicates the memory resources allocated to the container. // This is the limit (in bytes) of RAM the container may use. @@ -434,12 +434,12 @@ type InspectContainerHostConfig struct { // 100000, we will set both CpuQuota, CpuPeriod, and NanoCpus. If // CpuQuota is not the default, we will not set NanoCpus. NanoCpus int64 `json:"NanoCpus"` - // CgroupParent is the CGroup parent of the container. + // CgroupParent is the Cgroup parent of the container. // Only set if not default. CgroupParent string `json:"CgroupParent"` // BlkioWeight indicates the I/O resources allocated to the container. // It is a relative weight in the scheduler for assigning I/O time - // versus other CGroups. + // versus other Cgroups. BlkioWeight uint16 `json:"BlkioWeight"` // BlkioWeightDevice is an array of I/O resource priorities for // individual device nodes. diff --git a/libpod/define/errors.go b/libpod/define/errors.go index 653ef187d..f5a7c73e5 100644 --- a/libpod/define/errors.go +++ b/libpod/define/errors.go @@ -96,7 +96,7 @@ var ( ErrWillDeadlock = errors.New("deadlock due to lock mismatch") // ErrNoCgroups indicates that the container does not have its own - // CGroup. + // Cgroup. ErrNoCgroups = errors.New("this container does not have a cgroup") // ErrNoLogs indicates that this container is not creating a log so log // operations cannot be performed on it diff --git a/libpod/define/info.go b/libpod/define/info.go index 15400991f..48ad51c22 100644 --- a/libpod/define/info.go +++ b/libpod/define/info.go @@ -27,7 +27,7 @@ type HostInfo struct { Arch string `json:"arch"` BuildahVersion string `json:"buildahVersion"` CgroupManager string `json:"cgroupManager"` - CGroupsVersion string `json:"cgroupVersion"` + CgroupsVersion string `json:"cgroupVersion"` CgroupControllers []string `json:"cgroupControllers"` Conmon *ConmonInfo `json:"conmon"` CPUs int `json:"cpus"` diff --git a/libpod/define/pod_inspect.go b/libpod/define/pod_inspect.go index e7adc8700..e85a660a1 100644 --- a/libpod/define/pod_inspect.go +++ b/libpod/define/pod_inspect.go @@ -26,12 +26,12 @@ type InspectPodData struct { // Labels is a set of key-value labels that have been applied to the // pod. Labels map[string]string `json:"Labels,omitempty"` - // CreateCgroup is whether this pod will create its own CGroup to group + // CreateCgroup is whether this pod will create its own Cgroup to group // containers under. CreateCgroup bool - // CgroupParent is the parent of the pod's CGroup. + // CgroupParent is the parent of the pod's Cgroup. CgroupParent string `json:"CgroupParent,omitempty"` - // CgroupPath is the path to the pod's CGroup. + // CgroupPath is the path to the pod's Cgroup. CgroupPath string `json:"CgroupPath,omitempty"` // CreateInfra is whether this pod will create an infra container to // share namespaces. diff --git a/libpod/info.go b/libpod/info.go index 354364ccc..de675859e 100644 --- a/libpod/info.go +++ b/libpod/info.go @@ -104,7 +104,7 @@ func (r *Runtime) hostInfo() (*define.HostInfo, error) { return nil, errors.Wrapf(err, "error getting Seccomp profile path") } - // CGroups version + // Cgroups version unified, err := cgroups.IsCgroup2UnifiedMode() if err != nil { return nil, errors.Wrapf(err, "error reading cgroups mode") @@ -150,7 +150,7 @@ func (r *Runtime) hostInfo() (*define.HostInfo, error) { if unified { cgroupVersion = "v2" } - info.CGroupsVersion = cgroupVersion + info.CgroupsVersion = cgroupVersion slirp4netnsPath := r.config.Engine.NetworkCmdPath if slirp4netnsPath == "" { diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index 3440507ed..8d6a23ecc 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -1402,7 +1402,7 @@ func (r *ConmonOCIRuntime) sharedConmonArgs(ctr *Container, cuuid, bundlePath, p args = append(args, "--log-tag", logTag) } if ctr.config.NoCgroups { - logrus.Debugf("Running with no CGroups") + logrus.Debugf("Running with no Cgroups") args = append(args, "--runtime-arg", "--cgroup-manager", "--runtime-arg", "disabled") } return args diff --git a/libpod/options.go b/libpod/options.go index 5cf7609e9..f32eb279d 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -217,7 +217,7 @@ func WithCgroupManager(manager string) RuntimeOption { } if manager != config.CgroupfsCgroupsManager && manager != config.SystemdCgroupsManager { - return errors.Wrapf(define.ErrInvalidArg, "CGroup manager must be one of %s and %s", + return errors.Wrapf(define.ErrInvalidArg, "Cgroup manager must be one of %s and %s", config.CgroupfsCgroupsManager, config.SystemdCgroupsManager) } @@ -945,7 +945,7 @@ func WithUTSNSFrom(nsCtr *Container) CtrCreateOption { } } -// WithCgroupNSFrom indicates the the container should join the CGroup namespace +// WithCgroupNSFrom indicates the the container should join the Cgroup namespace // of the given container. // If the container has joined a pod, it can only join the namespaces of // containers in the same pod. @@ -1080,7 +1080,7 @@ func WithLogTag(tag string) CtrCreateOption { } } -// WithCgroupsMode disables the creation of CGroups for the conmon process. +// WithCgroupsMode disables the creation of Cgroups for the conmon process. func WithCgroupsMode(mode string) CtrCreateOption { return func(ctr *Container) error { if ctr.valid { @@ -1864,7 +1864,7 @@ func WithPodCgroupParent(path string) PodCreateOption { // WithPodCgroups tells containers in this pod to use the cgroup created for // this pod. // This can still be overridden at the container level by explicitly specifying -// a CGroup parent. +// a Cgroup parent. func WithPodCgroups() PodCreateOption { return func(pod *Pod) error { if pod.valid { diff --git a/libpod/pod.go b/libpod/pod.go index 0e5ac4906..b159f6bc7 100644 --- a/libpod/pod.go +++ b/libpod/pod.go @@ -44,9 +44,9 @@ type PodConfig struct { // Labels contains labels applied to the pod Labels map[string]string `json:"labels"` - // CgroupParent contains the pod's CGroup parent + // CgroupParent contains the pod's Cgroup parent CgroupParent string `json:"cgroupParent"` - // UsePodCgroup indicates whether the pod will create its own CGroup and + // UsePodCgroup indicates whether the pod will create its own Cgroup and // join containers to it. // If true, all containers joined to the pod will use the pod cgroup as // their cgroup parent, and cannot set a different cgroup parent @@ -77,7 +77,7 @@ type PodConfig struct { // podState represents a pod's state type podState struct { - // CgroupPath is the path to the pod's CGroup + // CgroupPath is the path to the pod's Cgroup CgroupPath string `json:"cgroupPath"` // InfraContainerID is the container that holds pod namespace information // Most often an infra container @@ -237,7 +237,7 @@ func (p *Pod) CreateCommand() []string { return p.config.CreateCommand } -// CgroupParent returns the pod's CGroup parent +// CgroupParent returns the pod's Cgroup parent func (p *Pod) CgroupParent() string { return p.config.CgroupParent } @@ -289,7 +289,7 @@ func (p *Pod) Hostname() string { return p.config.Hostname } -// CgroupPath returns the path to the pod's CGroup +// CgroupPath returns the path to the pod's Cgroup func (p *Pod) CgroupPath() (string, error) { p.lock.Lock() defer p.lock.Unlock() @@ -315,7 +315,7 @@ func (p *Pod) CgroupPath() (string, error) { } if ctr != nil { ctr.Start(context.Background(), true) - cgroupPath, err := ctr.CGroupPath() + cgroupPath, err := ctr.CgroupPath() fmt.Println(cgroupPath) if err != nil { return "", errors.Wrapf(err, "could not get container cgroup") diff --git a/libpod/pod_internal.go b/libpod/pod_internal.go index d903b8719..eaa6eb14b 100644 --- a/libpod/pod_internal.go +++ b/libpod/pod_internal.go @@ -71,7 +71,7 @@ func (p *Pod) refresh() error { case config.SystemdCgroupsManager: cgroupPath, err := systemdSliceFromPath(p.config.CgroupParent, fmt.Sprintf("libpod_pod_%s", p.ID())) if err != nil { - logrus.Errorf("Creating CGroup for pod %s: %v", p.ID(), err) + logrus.Errorf("Creating Cgroup for pod %s: %v", p.ID(), err) } p.state.CgroupPath = cgroupPath case config.CgroupfsCgroupsManager: diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index 252279485..15bca6133 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -344,8 +344,8 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai } } - // Check CGroup parent sanity, and set it if it was not set. - // Only if we're actually configuring CGroups. + // Check Cgroup parent sanity, and set it if it was not set. + // Only if we're actually configuring Cgroups. if !ctr.config.NoCgroups { ctr.config.CgroupManager = r.config.Engine.CgroupManager switch r.config.Engine.CgroupManager { @@ -391,7 +391,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai return nil, errors.Wrapf(define.ErrInvalidArg, "did not receive systemd slice as cgroup parent when using systemd to manage cgroups") } default: - return nil, errors.Wrapf(define.ErrInvalidArg, "unsupported CGroup manager: %s - cannot validate cgroup parent", r.config.Engine.CgroupManager) + return nil, errors.Wrapf(define.ErrInvalidArg, "unsupported Cgroup manager: %s - cannot validate cgroup parent", r.config.Engine.CgroupManager) } } @@ -411,7 +411,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai g.RemoveMount("/run/.containerenv") g.RemoveMount("/run/secrets") - // Regenerate CGroup paths so they don't point to the old + // Regenerate Cgroup paths so they don't point to the old // container ID. cgroupPath, err := ctr.getOCICgroupPath() if err != nil { diff --git a/libpod/runtime_pod_linux.go b/libpod/runtime_pod_linux.go index ee59cd8c3..ea3eb53c4 100644 --- a/libpod/runtime_pod_linux.go +++ b/libpod/runtime_pod_linux.go @@ -61,7 +61,7 @@ func (r *Runtime) NewPod(ctx context.Context, p specgen.PodSpecGenerator, option pod.valid = true - // Check CGroup parent sanity, and set it if it was not set + // Check Cgroup parent sanity, and set it if it was not set switch r.config.Engine.CgroupManager { case config.CgroupfsCgroupsManager: canUseCgroup := !rootless.IsRootless() || isRootlessCgroupSet(pod.config.CgroupParent) @@ -105,7 +105,7 @@ func (r *Runtime) NewPod(ctx context.Context, p specgen.PodSpecGenerator, option } } default: - return nil, errors.Wrapf(define.ErrInvalidArg, "unsupported CGroup manager: %s - cannot validate cgroup parent", r.config.Engine.CgroupManager) + return nil, errors.Wrapf(define.ErrInvalidArg, "unsupported Cgroup manager: %s - cannot validate cgroup parent", r.config.Engine.CgroupManager) } if pod.config.UsePodCgroup { @@ -226,12 +226,12 @@ func (r *Runtime) removePod(ctx context.Context, p *Pod, removeCtrs, force bool, } // We're going to be removing containers. - // If we are CGroupfs cgroup driver, to avoid races, we need to hit - // the pod and conmon CGroups with a PID limit to prevent them from + // If we are Cgroupfs cgroup driver, to avoid races, we need to hit + // the pod and conmon Cgroups with a PID limit to prevent them from // spawning any further processes (particularly cleanup processes) which - // would prevent removing the CGroups. + // would prevent removing the Cgroups. if p.runtime.config.Engine.CgroupManager == config.CgroupfsCgroupsManager { - // Get the conmon CGroup + // Get the conmon Cgroup conmonCgroupPath := filepath.Join(p.state.CgroupPath, "conmon") conmonCgroup, err := cgroups.Load(conmonCgroupPath) if err != nil && err != cgroups.ErrCgroupDeleted && err != cgroups.ErrCgroupV1Rootless { diff --git a/libpod/util_linux.go b/libpod/util_linux.go index ef871ef3d..9fee35823 100644 --- a/libpod/util_linux.go +++ b/libpod/util_linux.go @@ -43,7 +43,7 @@ func getDefaultSystemdCgroup() string { return SystemdDefaultCgroupParent } -// makeSystemdCgroup creates a systemd CGroup at the given location. +// makeSystemdCgroup creates a systemd Cgroup at the given location. func makeSystemdCgroup(path string) error { controller, err := cgroups.NewSystemd(getDefaultSystemdCgroup()) if err != nil { diff --git a/pkg/api/handlers/compat/containers_stats.go b/pkg/api/handlers/compat/containers_stats.go index a92fe9fe0..ad91a3a8e 100644 --- a/pkg/api/handlers/compat/containers_stats.go +++ b/pkg/api/handlers/compat/containers_stats.go @@ -109,7 +109,7 @@ streamLabel: // A label to flatten the scope return } // Cgroup stats - cgroupPath, err := ctnr.CGroupPath() + cgroupPath, err := ctnr.CgroupPath() if err != nil { logrus.Errorf("Unable to get cgroup path of container: %v", err) return diff --git a/pkg/api/handlers/compat/info.go b/pkg/api/handlers/compat/info.go index 777009f0a..dac1eb193 100644 --- a/pkg/api/handlers/compat/info.go +++ b/pkg/api/handlers/compat/info.go @@ -124,7 +124,7 @@ func GetInfo(w http.ResponseWriter, r *http.Request) { BuildahVersion: infoData.Host.BuildahVersion, CPURealtimePeriod: sysInfo.CPURealtimePeriod, CPURealtimeRuntime: sysInfo.CPURealtimeRuntime, - CgroupVersion: strings.TrimPrefix(infoData.Host.CGroupsVersion, "v"), + CgroupVersion: strings.TrimPrefix(infoData.Host.CgroupsVersion, "v"), Rootless: rootless.IsRootless(), SwapFree: infoData.Host.SwapFree, SwapTotal: infoData.Host.SwapTotal, diff --git a/pkg/api/handlers/types.go b/pkg/api/handlers/types.go index 3b821d9e7..d3a592bdf 100644 --- a/pkg/api/handlers/types.go +++ b/pkg/api/handlers/types.go @@ -148,7 +148,7 @@ type PodTopOKBody struct { // swagger:model PodCreateConfig type PodCreateConfig struct { Name string `json:"name"` - CGroupParent string `json:"cgroup-parent"` + CgroupParent string `json:"cgroup-parent"` Hostname string `json:"hostname"` Infra bool `json:"infra"` InfraCommand string `json:"infra-command"` diff --git a/pkg/domain/entities/engine.go b/pkg/domain/entities/engine.go index 055af7ff9..32faa74af 100644 --- a/pkg/domain/entities/engine.go +++ b/pkg/domain/entities/engine.go @@ -33,7 +33,7 @@ type PodmanConfig struct { *config.Config *pflag.FlagSet - CGroupUsage string // rootless code determines Usage message + CgroupUsage string // rootless code determines Usage message ConmonPath string // --conmon flag will set Engine.ConmonPath CPUProfile string // Hidden: Should CPU profile be taken EngineMode EngineMode // ABI or Tunneling mode diff --git a/pkg/domain/entities/pods.go b/pkg/domain/entities/pods.go index cc9476d79..60d171f86 100644 --- a/pkg/domain/entities/pods.go +++ b/pkg/domain/entities/pods.go @@ -118,7 +118,7 @@ type PodSpec struct { // The JSON tags below are made to match the respective field in ContainerCreateOptions for the purpose of mapping. // swagger:model PodCreateOptions type PodCreateOptions struct { - CGroupParent string `json:"cgroup_parent,omitempty"` + CgroupParent string `json:"cgroup_parent,omitempty"` CreateCommand []string `json:"create_command,omitempty"` Devices []string `json:"devices,omitempty"` DeviceReadBPs []string `json:"device_read_bps,omitempty"` @@ -159,8 +159,8 @@ type ContainerCreateOptions struct { CapAdd []string CapDrop []string CgroupNS string - CGroupsMode string - CGroupParent string `json:"cgroup_parent,omitempty"` + CgroupsMode string + CgroupParent string `json:"cgroup_parent,omitempty"` CIDFile string ConmonPIDFile string `json:"container_conmon_pidfile,omitempty"` CPUPeriod uint64 @@ -172,7 +172,7 @@ type ContainerCreateOptions struct { CPUSetCPUs string `json:"cpuset_cpus,omitempty"` CPUSetMems string Devices []string `json:"devices,omitempty"` - DeviceCGroupRule []string + DeviceCgroupRule []string DeviceReadBPs []string `json:"device_read_bps,omitempty"` DeviceReadIOPs []string DeviceWriteBPs []string @@ -345,7 +345,7 @@ func ToPodSpecGen(s specgen.PodSpecGenerator, p *PodCreateOptions) (*specgen.Pod } // Cgroup - s.CgroupParent = p.CGroupParent + s.CgroupParent = p.CgroupParent // Resource config cpuDat := p.CPULimits() diff --git a/pkg/domain/infra/abi/containers.go b/pkg/domain/infra/abi/containers.go index afd25d313..cab4c3c9a 100644 --- a/pkg/domain/infra/abi/containers.go +++ b/pkg/domain/infra/abi/containers.go @@ -989,7 +989,7 @@ func (ic *ContainerEngine) ContainerRun(ctx context.Context, opts entities.Conta report := entities.ContainerRunReport{Id: ctr.ID()} if logrus.GetLevel() == logrus.DebugLevel { - cgroupPath, err := ctr.CGroupPath() + cgroupPath, err := ctr.CgroupPath() if err == nil { logrus.Debugf("container %q has CgroupParent %q", ctr.ID(), cgroupPath) } diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go index 2c7b3c091..7b55a0cb3 100644 --- a/pkg/specgen/generate/container.go +++ b/pkg/specgen/generate/container.go @@ -229,6 +229,10 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat } } + if s.CgroupsMode == "" { + s.CgroupsMode = rtc.Cgroups() + } + // If caller did not specify Pids Limits load default if s.ResourceLimits == nil || s.ResourceLimits.Pids == nil { if s.CgroupsMode != "disabled" { diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index ee3a990fc..f72ffe80c 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -152,7 +152,7 @@ func canMountSys(isRootless, isNewUserns bool, s *specgen.SpecGenerator) bool { return true } -func getCGroupPermissons(unmask []string) string { +func getCgroupPermissons(unmask []string) string { ro := "ro" rw := "rw" cgroup := "/sys/fs/cgroup" @@ -176,7 +176,7 @@ func getCGroupPermissons(unmask []string) string { // SpecGenToOCI returns the base configuration for the container. func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *libimage.Image, mounts []spec.Mount, pod *libpod.Pod, finalCmd []string, compatibleOptions *libpod.InfraInherit) (*spec.Spec, error) { - cgroupPerm := getCGroupPermissons(s.Unmask) + cgroupPerm := getCgroupPermissons(s.Unmask) g, err := generate.New("linux") if err != nil { @@ -357,7 +357,7 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt // set the devices cgroup when not running in a user namespace if !inUserNS && !s.Privileged { g.AddLinuxResourcesDevice(false, "", nil, nil, "rwm") - for _, dev := range s.DeviceCGroupRule { + for _, dev := range s.DeviceCgroupRule { g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access) } } diff --git a/pkg/specgen/podspecgen.go b/pkg/specgen/podspecgen.go index b6f2d6bf0..62b4725a7 100644 --- a/pkg/specgen/podspecgen.go +++ b/pkg/specgen/podspecgen.go @@ -183,7 +183,7 @@ type PodStorageConfig struct { // PodCgroupConfig contains configuration options about a pod's cgroups. // This will be expanded in future updates to pods. type PodCgroupConfig struct { - // CgroupParent is the parent for the CGroup that the pod will create. + // CgroupParent is the parent for the Cgroup that the pod will create. // This pod cgroup will, in turn, be the default cgroup parent for all // containers in the pod. // Optional. diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index 82721ba92..750fc875d 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -264,9 +264,9 @@ type ContainerStorageConfig struct { // Devices are devices that will be added to the container. // Optional. Devices []spec.LinuxDevice `json:"devices,omitempty"` - // DeviceCGroupRule are device cgroup rules that allow containers + // DeviceCgroupRule are device cgroup rules that allow containers // to use additional types of devices. - DeviceCGroupRule []spec.LinuxDeviceCgroup `json:"device_cgroup_rule,omitempty"` + DeviceCgroupRule []spec.LinuxDeviceCgroup `json:"device_cgroup_rule,omitempty"` // DevicesFrom is a way to ensure your container inherits device specific information from another container DevicesFrom []string `json:"devices_from,omitempty"` // HostDeviceList is used to recreate the mounted device on inherited containers @@ -390,7 +390,7 @@ type ContainerCgroupConfig struct { // CgroupsMode sets a policy for how cgroups will be created in the // container, including the ability to disable creation entirely. CgroupsMode string `json:"cgroups_mode,omitempty"` - // CgroupParent is the container's CGroup parent. + // CgroupParent is the container's Cgroup parent. // If not set, the default for the current cgroup driver will be used. // Optional. CgroupParent string `json:"cgroup_parent,omitempty"` diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go index 8e43cc50e..59ac19c2c 100644 --- a/pkg/specgenutil/specgen.go +++ b/pkg/specgenutil/specgen.go @@ -8,6 +8,7 @@ import ( "strings" "time" + "github.com/containers/common/pkg/config" "github.com/containers/image/v5/manifest" "github.com/containers/podman/v3/cmd/podman/parse" "github.com/containers/podman/v3/libpod/define" @@ -488,8 +489,17 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions if ld := c.LogDriver; len(ld) > 0 { s.LogConfiguration.Driver = ld } - s.CgroupParent = c.CGroupParent - s.CgroupsMode = c.CGroupsMode + s.CgroupParent = c.CgroupParent + s.CgroupsMode = c.CgroupsMode + if s.CgroupsMode == "" { + rtc, err := config.Default() + if err != nil { + return err + } + + s.CgroupsMode = rtc.Cgroups() + } + s.Groups = c.GroupAdd s.Hostname = c.Hostname @@ -587,12 +597,12 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions s.Devices = append(s.Devices, specs.LinuxDevice{Path: dev}) } - for _, rule := range c.DeviceCGroupRule { + for _, rule := range c.DeviceCgroupRule { dev, err := parseLinuxResourcesDeviceAccess(rule) if err != nil { return err } - s.DeviceCGroupRule = append(s.DeviceCGroupRule, dev) + s.DeviceCgroupRule = append(s.DeviceCgroupRule, dev) } s.Init = c.Init diff --git a/test/e2e/containers_conf_test.go b/test/e2e/containers_conf_test.go index 838221dd5..d6bf66a50 100644 --- a/test/e2e/containers_conf_test.go +++ b/test/e2e/containers_conf_test.go @@ -83,7 +83,7 @@ var _ = Describe("Podman run", func() { }) It("podman Capabilities in containers.conf", func() { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") cap := podmanTest.Podman([]string{"run", ALPINE, "grep", "CapEff", "/proc/self/status"}) cap.WaitWithDefaultTimeout() Expect(cap).Should(Exit(0)) @@ -123,7 +123,7 @@ var _ = Describe("Podman run", func() { }) verifyNSHandling := func(nspath, option string) { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") os.Setenv("CONTAINERS_CONF", "config/containers-ns.conf") if IsRemote() { podmanTest.RestartRemoteService() @@ -484,4 +484,35 @@ var _ = Describe("Podman run", func() { Expect(result).Should(Exit(125)) Expect(result.ErrorToString()).To(ContainSubstring(errorString)) }) + + It("podman containers.conf cgroups=disabled", func() { + if !strings.Contains(podmanTest.OCIRuntime, "crun") { + Skip("FIXME: requires crun") + } + conffile := filepath.Join(podmanTest.TempDir, "container.conf") + + err := ioutil.WriteFile(conffile, []byte("[containers]\ncgroups=\"disabled\"\n"), 0755) + Expect(err).To(BeNil()) + + result := podmanTest.Podman([]string{"create", ALPINE, "true"}) + result.WaitWithDefaultTimeout() + Expect(result).Should(Exit(0)) + + inspect := podmanTest.Podman([]string{"inspect", "--format", "{{ .HostConfig.Cgroups }}", result.OutputToString()}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.OutputToString()).To(Not(Equal("disabled"))) + + os.Setenv("CONTAINERS_CONF", conffile) + if IsRemote() { + podmanTest.RestartRemoteService() + } + result = podmanTest.Podman([]string{"create", ALPINE, "true"}) + result.WaitWithDefaultTimeout() + Expect(result).Should(Exit(0)) + + inspect = podmanTest.Podman([]string{"inspect", "--format", "{{ .HostConfig.Cgroups }}", result.OutputToString()}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.OutputToString()).To(Equal("disabled")) + }) + }) diff --git a/test/e2e/cp_test.go b/test/e2e/cp_test.go index 360b8c7fc..70b559222 100644 --- a/test/e2e/cp_test.go +++ b/test/e2e/cp_test.go @@ -94,7 +94,7 @@ var _ = Describe("Podman cp", func() { // Copy a file to the container, then back to the host in --pid=host It("podman cp --pid=host file", func() { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") srcFile, err := ioutil.TempFile("", "") Expect(err).To(BeNil()) defer srcFile.Close() diff --git a/test/e2e/pod_infra_container_test.go b/test/e2e/pod_infra_container_test.go index 4a5a8c6b0..f4b99bb6b 100644 --- a/test/e2e/pod_infra_container_test.go +++ b/test/e2e/pod_infra_container_test.go @@ -225,7 +225,7 @@ var _ = Describe("Podman pod create", func() { }) It("podman pod container can override pod pid NS", func() { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") session := podmanTest.Podman([]string{"pod", "create", "--share", "pid"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) diff --git a/test/e2e/pod_kill_test.go b/test/e2e/pod_kill_test.go index 7ab62ec5d..0bd9aa0f1 100644 --- a/test/e2e/pod_kill_test.go +++ b/test/e2e/pod_kill_test.go @@ -128,7 +128,7 @@ var _ = Describe("Podman pod kill", func() { }) It("podman pod kill all", func() { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") _, ec, podid := podmanTest.CreatePod(nil) Expect(ec).To(Equal(0)) diff --git a/test/e2e/pod_ps_test.go b/test/e2e/pod_ps_test.go index 4b2a3b66d..281aea9a9 100644 --- a/test/e2e/pod_ps_test.go +++ b/test/e2e/pod_ps_test.go @@ -174,7 +174,7 @@ var _ = Describe("Podman ps", func() { }) It("podman pod ps --ctr-names", func() { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") _, ec, podid := podmanTest.CreatePod(nil) Expect(ec).To(Equal(0)) diff --git a/test/e2e/run_ns_test.go b/test/e2e/run_ns_test.go index db81cc1a7..7f4b58c0d 100644 --- a/test/e2e/run_ns_test.go +++ b/test/e2e/run_ns_test.go @@ -36,7 +36,7 @@ var _ = Describe("Podman run ns", func() { }) It("podman run pidns test", func() { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") session := podmanTest.Podman([]string{"run", fedoraMinimal, "bash", "-c", "echo $$"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) @@ -115,7 +115,7 @@ var _ = Describe("Podman run ns", func() { }) It("podman run --ipc=host --pid=host", func() { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") cmd := exec.Command("ls", "-l", "/proc/self/ns/pid") res, err := cmd.Output() Expect(err).To(BeNil()) diff --git a/test/e2e/run_selinux_test.go b/test/e2e/run_selinux_test.go index a6672d45e..5ae49a5c2 100644 --- a/test/e2e/run_selinux_test.go +++ b/test/e2e/run_selinux_test.go @@ -260,7 +260,7 @@ var _ = Describe("Podman run", func() { }) It("podman test --pid=host", func() { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") session := podmanTest.Podman([]string{"run", "--pid=host", ALPINE, "cat", "/proc/self/attr/current"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index e98f2c999..b461594c1 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -386,31 +386,31 @@ var _ = Describe("Podman run", func() { SkipIfCgroupV1("podman umask on /sys/fs/cgroup will fail with cgroups V1") SkipIfRootless("/sys/fs/cgroup rw access is needed") - rwOnCGroups := "/sys/fs/cgroup cgroup2 rw" + rwOnCgroups := "/sys/fs/cgroup cgroup2 rw" session := podmanTest.Podman([]string{"run", "--security-opt", "unmask=ALL", "--security-opt", "mask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCgroups)) session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCgroups)) session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup///", ALPINE, "cat", "/proc/mounts"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCgroups)) session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=ALL", ALPINE, "cat", "/proc/mounts"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCgroups)) session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", "--security-opt", "mask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCgroups)) session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", ALPINE, "ls", "/sys/fs/cgroup"}) session.WaitWithDefaultTimeout() diff --git a/test/e2e/toolbox_test.go b/test/e2e/toolbox_test.go index 40db5180a..72ada5c31 100644 --- a/test/e2e/toolbox_test.go +++ b/test/e2e/toolbox_test.go @@ -118,7 +118,7 @@ var _ = Describe("Toolbox-specific testing", func() { if podmanTest.RemoteTest { Skip("Shm size check does not work with a remote client") } - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") var session *PodmanSessionIntegration var cmd *exec.Cmd var hostShmSize, containerShmSize int |