podman: add new option --cgroups=no-conmon

it allows to disable cgroups creation only for the conmon process. A new cgroup is created for the container payload. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
author: Giuseppe Scrivano <gscrivan@redhat.com> 2020-01-14 15:05:12 +0100
committer: Giuseppe Scrivano <gscrivan@redhat.com> 2020-01-16 18:56:51 +0100
commit: ba0a6f34e349bfb5cf70cb2062522e6af1b9578c (patch)
tree: b74d4b895ac5b39d4b1f6448aab2fd8c7ac7dbcc
parent: 30245affe9881fdedc869ccb68faa3e2f5fb9366 (diff)
download: podman-ba0a6f34e349bfb5cf70cb2062522e6af1b9578c.tar.gz
podman-ba0a6f34e349bfb5cf70cb2062522e6af1b9578c.tar.bz2
podman-ba0a6f34e349bfb5cf70cb2062522e6af1b9578c.zip
8 files changed, 31 insertions, 19 deletions
diff --git a/cmd/podman/common.go b/cmd/podman/common.go
index 8690be64f..f3aff1d49 100644
--- a/cmd/podman/common.go
+++ b/cmd/podman/common.go
@@ -158,7 +158,7 @@ func getCreateFlags(c *cliconfig.PodmanCommand) {
 	)
 	createFlags.String(
 		"cgroups", "enabled",
-		"control container cgroup configuration",
+		`control container cgroup configuration ("enabled"|"disabled"|"no-conmon")`,
 	)
 	createFlags.String(
 		"cgroup-parent", "",
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
index 0236e30ba..7f0c2260c 100644
--- a/docs/source/markdown/podman-create.1.md
+++ b/docs/source/markdown/podman-create.1.md
@@ -78,8 +78,9 @@ If the host uses cgroups v1, the default is set to **host**.  On cgroups v2 the
 **--cgroups**=*mode*
 
 Determines whether the container will create CGroups.
-Valid values are *enabled* and *disabled*, which the default being *enabled*.
+Valid values are *enabled*, *disabled*, *no-conmon*, which the default being *enabled*.
 The *disabled* option will force the container to not create CGroups, and thus conflicts with CGroup options (**--cgroupns** and **--cgroup-parent**).
+The *no-conmon* option disables a new CGroup only for the conmon process.
 
 **--cgroup-parent**=*path*
 
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index f613e6668..2b1452b53 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -92,8 +92,9 @@ If the host uses cgroups v1, the default is set to **host**.  On cgroups v2 the
 **--cgroups**=*mode*
 
 Determines whether the container will create CGroups.
-Valid values are *enabled* and *disabled*, which the default being *enabled*.
+Valid values are *enabled*, *disabled*, *no-conmon*, which the default being *enabled*.
 The *disabled* option will force the container to not create CGroups, and thus conflicts with CGroup options (**--cgroupns** and **--cgroup-parent**).
+The *no-conmon* option disables a new CGroup only for the conmon process.
 
 **--cgroup-parent**=*cgroup*
 
diff --git a/libpod/container.go b/libpod/container.go
index b3cb6334a..f29cebf20 100644
--- a/libpod/container.go
+++ b/libpod/container.go
@@ -373,8 +373,11 @@ type ContainerConfig struct {
 	// Time container was created
 	CreatedTime time.Time `json:"createdTime"`
 	// NoCgroups indicates that the container will not create CGroups. It is
-	// incompatible with CgroupParent.
+	// incompatible with CgroupParent.  Deprecated in favor of CgroupsMode.
 	NoCgroups bool `json:"noCgroups,omitempty"`
+	// CgroupsMode indicates how the container will create cgroups
+	// (disabled, no-conmon, enabled).  It supersedes NoCgroups.
+	CgroupsMode string `json:"cgroupsMode,omitempty"`
 	// Cgroup parent of the container
 	CgroupParent string `json:"cgroupParent"`
 	// LogPath log location
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index 5ab0e73c4..7c7ec8b2c 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -1297,11 +1297,17 @@ func startCommandGivenSelinux(cmd *exec.Cmd) error {
 // it then signals for conmon to start by sending nonse data down the start fd
 func (r *ConmonOCIRuntime) moveConmonToCgroupAndSignal(ctr *Container, cmd *exec.Cmd, startFd *os.File) error {
 	mustCreateCgroup := true
-	// If cgroup creation is disabled - just signal.
+
 	if ctr.config.NoCgroups {
 		mustCreateCgroup = false
 	}
 
+	// If cgroup creation is disabled - just signal.
+	switch ctr.config.CgroupsMode {
+	case "disabled", "no-conmon":
+		mustCreateCgroup = false
+	}
+
 	if mustCreateCgroup {
 		cgroupParent := ctr.CgroupParent()
 		if r.cgroupManager == define.SystemdCgroupsManager {
diff --git a/libpod/options.go b/libpod/options.go
index 8bc5a541d..593037382 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -1078,25 +1078,26 @@ func WithLogTag(tag string) CtrCreateOption {
 
 }
 
-// WithNoCgroups disables the creation of CGroups for the new container.
-func WithNoCgroups() CtrCreateOption {
+// WithCgroupsMode disables the creation of CGroups for the conmon process.
+func WithCgroupsMode(mode string) CtrCreateOption {
 	return func(ctr *Container) error {
 		if ctr.valid {
 			return define.ErrCtrFinalized
 		}
 
-		if ctr.config.CgroupParent != "" {
-			return errors.Wrapf(define.ErrInvalidArg, "NoCgroups conflicts with CgroupParent")
-		}
-
-		if ctr.config.PIDNsCtr != "" {
-			return errors.Wrapf(define.ErrInvalidArg, "NoCgroups requires a private PID namespace and cannot be used when PID namespace is shared with another container")
+		switch mode {
+		case "disabled":
+			ctr.config.NoCgroups = true
+			ctr.config.CgroupsMode = mode
+		case "enabled", "no-conmon":
+			ctr.config.CgroupsMode = mode
+		default:
+			return errors.Wrapf(define.ErrInvalidArg, "Invalid cgroup mode %q", mode)
 		}
 
-		ctr.config.NoCgroups = true
-
 		return nil
 	}
+
 }
 
 // WithCgroupParent sets the Cgroup Parent of the new container.
diff --git a/pkg/spec/namespaces.go b/pkg/spec/namespaces.go
index e62d4ed0a..1f98e6e25 100644
--- a/pkg/spec/namespaces.go
+++ b/pkg/spec/namespaces.go
@@ -213,8 +213,8 @@ func (c *CgroupConfig) ToCreateOptions(runtime *libpod.Runtime) ([]libpod.CtrCre
 		options = append(options, libpod.WithCgroupParent(c.CgroupParent))
 	}
 
-	if c.Cgroups == "disabled" {
-		options = append(options, libpod.WithNoCgroups())
+	if c.Cgroups != "" {
+		options = append(options, libpod.WithCgroupsMode(c.Cgroups))
 	}
 
 	return options, nil
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 7a220012f..cae055bb0 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -358,10 +358,10 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 			return nil, errors.New("cannot specify resource limits when cgroups are disabled is specified")
 		}
 		configSpec.Linux.Resources = &spec.LinuxResources{}
-	case "enabled", "":
+	case "enabled", "no-conmon", "":
 		// Do nothing
 	default:
-		return nil, errors.New("unrecognized option for cgroups; supported are 'default' and 'disabled'")
+		return nil, errors.New("unrecognized option for cgroups; supported are 'default', 'disabled', 'no-conmon'")
 	}
 
 	// Add annotations
author	Giuseppe Scrivano <gscrivan@redhat.com>	2020-01-14 15:05:12 +0100
committer	Giuseppe Scrivano <gscrivan@redhat.com>	2020-01-16 18:56:51 +0100
commit	ba0a6f34e349bfb5cf70cb2062522e6af1b9578c (patch)
tree	b74d4b895ac5b39d4b1f6448aab2fd8c7ac7dbcc
parent	30245affe9881fdedc869ccb68faa3e2f5fb9366 (diff)
download	podman-ba0a6f34e349bfb5cf70cb2062522e6af1b9578c.tar.gz podman-ba0a6f34e349bfb5cf70cb2062522e6af1b9578c.tar.bz2 podman-ba0a6f34e349bfb5cf70cb2062522e6af1b9578c.zip