summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoropenshift-ci[bot] <75433959+openshift-ci[bot]@users.noreply.github.com>2022-06-29 13:00:03 +0000
committerGitHub <noreply@github.com>2022-06-29 13:00:03 +0000
commitdd924c4078c1c0b3167b4f5bf8975ef4d6bc9e26 (patch)
treeddcc66a9bedfea48a36f9edd107f05403cfbe114
parent6e910a08dbbf5f74b7aeb184669c94e4c4d08228 (diff)
parent7f994a80de4e416fdfc347737ba9a65b056555c4 (diff)
downloadpodman-dd924c4078c1c0b3167b4f5bf8975ef4d6bc9e26.tar.gz
podman-dd924c4078c1c0b3167b4f5bf8975ef4d6bc9e26.tar.bz2
podman-dd924c4078c1c0b3167b4f5bf8975ef4d6bc9e26.zip
Merge pull request #14764 from cdoern/cgroup
limit cgroupfs when rootless
-rw-r--r--libpod/runtime_pod_linux.go33
1 files changed, 18 insertions, 15 deletions
diff --git a/libpod/runtime_pod_linux.go b/libpod/runtime_pod_linux.go
index 00017ca21..1f9ebe724 100644
--- a/libpod/runtime_pod_linux.go
+++ b/libpod/runtime_pod_linux.go
@@ -78,21 +78,24 @@ func (r *Runtime) NewPod(ctx context.Context, p specgen.PodSpecGenerator, option
pod.state.CgroupPath = filepath.Join(pod.config.CgroupParent, pod.ID())
if p.InfraContainerSpec != nil {
p.InfraContainerSpec.CgroupParent = pod.state.CgroupPath
- res, err := GetLimits(p.InfraContainerSpec.ResourceLimits)
- if err != nil {
- return nil, err
- }
- // Need to both create and update the cgroup
- // rather than create a new path in c/common for pod cgroup creation
- // just create as if it is a ctr and then update figures out that we need to
- // populate the resource limits on the pod level
- cgc, err := cgroups.New(pod.state.CgroupPath, &res)
- if err != nil {
- return nil, err
- }
- err = cgc.Update(&res)
- if err != nil {
- return nil, err
+ // cgroupfs + rootless = permission denied when creating the cgroup.
+ if !rootless.IsRootless() {
+ res, err := GetLimits(p.InfraContainerSpec.ResourceLimits)
+ if err != nil {
+ return nil, err
+ }
+ // Need to both create and update the cgroup
+ // rather than create a new path in c/common for pod cgroup creation
+ // just create as if it is a ctr and then update figures out that we need to
+ // populate the resource limits on the pod level
+ cgc, err := cgroups.New(pod.state.CgroupPath, &res)
+ if err != nil {
+ return nil, err
+ }
+ err = cgc.Update(&res)
+ if err != nil {
+ return nil, err
+ }
}
}
}