summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2019-11-05 20:24:13 +0100
committerGitHub <noreply@github.com>2019-11-05 20:24:13 +0100
commit7eda1b08401ad9ab430261f2b2d236eb9a834454 (patch)
tree85342c71330e985dc92b29c96e6da8b7c52e4f4c
parenta904e21cf0213185fd115683dc2adc4baeff922a (diff)
parentb8514ca6f39e58c623a34440f20debe9d0e8053f (diff)
downloadpodman-7eda1b08401ad9ab430261f2b2d236eb9a834454.tar.gz
podman-7eda1b08401ad9ab430261f2b2d236eb9a834454.tar.bz2
podman-7eda1b08401ad9ab430261f2b2d236eb9a834454.zip
Merge pull request #4374 from giuseppe/create-cgroupns-by-default-on-cgroupsv2
namespaces: by default create cgroupns on cgroups v2
-rw-r--r--cmd/podman/common.go2
-rw-r--r--docs/source/markdown/podman-create.1.md4
-rw-r--r--docs/source/markdown/podman-run.1.md4
-rw-r--r--pkg/namespaces/namespaces.go5
-rw-r--r--pkg/spec/spec.go13
-rw-r--r--test/e2e/run_cgroup_parent_test.go6
6 files changed, 28 insertions, 6 deletions
diff --git a/cmd/podman/common.go b/cmd/podman/common.go
index 33a848553..37511641b 100644
--- a/cmd/podman/common.go
+++ b/cmd/podman/common.go
@@ -132,7 +132,7 @@ func getCreateFlags(c *cliconfig.PodmanCommand) {
"Drop capabilities from the container",
)
createFlags.String(
- "cgroupns", "host",
+ "cgroupns", "",
"cgroup namespace to use",
)
createFlags.String(
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
index 6617850fd..2e0dd934c 100644
--- a/docs/source/markdown/podman-create.1.md
+++ b/docs/source/markdown/podman-create.1.md
@@ -67,12 +67,14 @@ Drop Linux capabilities
**--cgroupns**=*mode*
-Set the cgroup namespace mode for the container, by default **host** is used.
+Set the cgroup namespace mode for the container.
**host**: use the host's cgroup namespace inside the container.
**container:<NAME|ID>**: join the namespace of the specified container.
**private**: create a new cgroup namespace.
**ns:<PATH>**: join the namespace at the specified path.
+If the host uses cgroups v1, the default is set to **host**. On cgroups v2 the default is **private**.
+
**--cgroups**=*mode*
Determines whether the container will create CGroups.
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index d6d8f4c1e..8baa39570 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -81,12 +81,14 @@ Drop Linux capabilities
**--cgroupns**=*mode*
-Set the cgroup namespace mode for the container, by default **host** is used.
+Set the cgroup namespace mode for the container.
**host**: use the host's cgroup namespace inside the container.
**container:<NAME|ID>**: join the namespace of the specified container.
**private**: create a new cgroup namespace.
**ns:<PATH>**: join the namespace at the specified path.
+If the host uses cgroups v1, the default is set to **host**. On cgroups v2 the default is **private**.
+
**--cgroups**=*mode*
Determines whether the container will create CGroups.
diff --git a/pkg/namespaces/namespaces.go b/pkg/namespaces/namespaces.go
index 9d1033b93..78b55bb2a 100644
--- a/pkg/namespaces/namespaces.go
+++ b/pkg/namespaces/namespaces.go
@@ -25,6 +25,11 @@ func (n CgroupMode) IsHost() bool {
return n == hostType
}
+// IsDefaultValue indicates whether the cgroup namespace has the default value.
+func (n CgroupMode) IsDefaultValue() bool {
+ return n == ""
+}
+
// IsNS indicates a cgroup namespace passed in by path (ns:<path>)
func (n CgroupMode) IsNS() bool {
return strings.HasPrefix(string(n), nsType)
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 86d701f7e..33e9ec076 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -631,6 +631,19 @@ func addIpcNS(config *CreateConfig, g *generate.Generator) error {
func addCgroupNS(config *CreateConfig, g *generate.Generator) error {
cgroupMode := config.CgroupMode
+
+ if cgroupMode.IsDefaultValue() {
+ // If the value is not specified, default to "private" on cgroups v2 and "host" on cgroups v1.
+ unified, err := cgroups.IsCgroup2UnifiedMode()
+ if err != nil {
+ return err
+ }
+ if unified {
+ cgroupMode = "private"
+ } else {
+ cgroupMode = "host"
+ }
+ }
if cgroupMode.IsNS() {
return g.AddOrReplaceLinuxNamespace(string(spec.CgroupNamespace), NS(string(cgroupMode)))
}
diff --git a/test/e2e/run_cgroup_parent_test.go b/test/e2e/run_cgroup_parent_test.go
index 1fb9f6871..14294eeac 100644
--- a/test/e2e/run_cgroup_parent_test.go
+++ b/test/e2e/run_cgroup_parent_test.go
@@ -40,7 +40,7 @@ var _ = Describe("Podman run with --cgroup-parent", func() {
Skip("Must be containerized to run this test.")
}
cgroup := "/zzz"
- run := podmanTest.Podman([]string{"run", "--cgroup-parent", cgroup, fedoraMinimal, "cat", "/proc/self/cgroup"})
+ run := podmanTest.Podman([]string{"run", "--cgroupns=host", "--cgroup-parent", cgroup, fedoraMinimal, "cat", "/proc/self/cgroup"})
run.WaitWithDefaultTimeout()
Expect(run.ExitCode()).To(Equal(0))
ok, _ := run.GrepString(cgroup)
@@ -52,7 +52,7 @@ var _ = Describe("Podman run with --cgroup-parent", func() {
if !Containerized() && podmanTest.CgroupManager != "cgroupfs" {
cgroup = "/machine.slice"
}
- run := podmanTest.Podman([]string{"run", fedoraMinimal, "cat", "/proc/self/cgroup"})
+ run := podmanTest.Podman([]string{"run", "--cgroupns=host", fedoraMinimal, "cat", "/proc/self/cgroup"})
run.WaitWithDefaultTimeout()
Expect(run.ExitCode()).To(Equal(0))
ok, _ := run.GrepString(cgroup)
@@ -64,7 +64,7 @@ var _ = Describe("Podman run with --cgroup-parent", func() {
Skip("Requires Systemd cgroup manager support")
}
cgroup := "aaaa.slice"
- run := podmanTest.Podman([]string{"run", "--cgroup-parent", cgroup, fedoraMinimal, "cat", "/proc/1/cgroup"})
+ run := podmanTest.Podman([]string{"run", "--cgroupns=host", "--cgroup-parent", cgroup, fedoraMinimal, "cat", "/proc/1/cgroup"})
run.WaitWithDefaultTimeout()
Expect(run.ExitCode()).To(Equal(0))
ok, _ := run.GrepString(cgroup)