podman: add option --cgroup-conf

it allows to manually tweak the configuration for cgroup v2.

we will expose some of the options in future as single
options (e.g. the new memory knobs), but for now add the more generic
--cgroup-conf mechanism for maximum control on the cgroup
configuration.

OCI specs change: https://github.com/opencontainers/runtime-spec/pull/1040

Requires: https://github.com/containers/crun/pull/459

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

2 files changed, 10 insertions, 0 deletions

diff --git a/pkg/specgen/generate/validate.go b/pkg/specgen/generate/validate.go
index dca45cc0e..ed337321b 100644
--- a/pkg/specgen/generate/validate.go
+++ b/pkg/specgen/generate/validate.go
@@ -23,6 +23,12 @@ func verifyContainerResources(s *specgen.SpecGenerator) ([]string, error) {
 		return warnings, nil
 	}
 
+	if s.ResourceLimits.Unified != nil {
+		if !cgroup2 {
+			return nil, errors.New("Cannot use --cgroup-conf without cgroup v2")
+		}
+	}
+
 	// Memory checks
 	if s.ResourceLimits.Memory != nil {
 		memory := s.ResourceLimits.Memory
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index a9161071b..a52225f87 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -415,6 +415,10 @@ type ContainerResourceConfig struct {
 	ThrottleReadIOPSDevice map[string]spec.LinuxThrottleDevice `json:"throttleReadIOPSDevice,omitempty"`
 	// IO write rate limit per cgroup per device, IO per second
 	ThrottleWriteIOPSDevice map[string]spec.LinuxThrottleDevice `json:"throttleWriteIOPSDevice,omitempty"`
+	// CgroupConf are key-value options passed into the container runtime
+	// that are used to configure cgroup v2.
+	// Optional.
+	CgroupConf map[string]string `json:"unified,omitempty"`
 }
 
 // ContainerHealthCheckConfig describes a container healthcheck with attributes