diff options
| -rw-r--r-- | cmd/podman/common/completion.go | 3 | ||||
| -rw-r--r-- | cmd/podman/common/create.go | 4 | ||||
| -rw-r--r-- | cmd/podman/root.go | 3 | ||||
| -rw-r--r-- | cmd/podman/system/service_abi.go | 23 | ||||
| -rw-r--r-- | docs/source/markdown/podman-container-clone.1.md | 2 | ||||
| -rw-r--r-- | docs/source/markdown/podman-create.1.md | 2 | ||||
| -rw-r--r-- | docs/source/markdown/podman-run.1.md | 2 | ||||
| -rw-r--r-- | pkg/domain/infra/abi/system.go | 17 | ||||
| -rw-r--r-- | test/e2e/build/Containerfile.with-platform | 1 | ||||
| -rw-r--r-- | test/e2e/run_cpu_test.go | 2 | ||||
| -rw-r--r-- | utils/utils.go | 30 |
11 files changed, 56 insertions, 33 deletions
diff --git a/cmd/podman/common/completion.go b/cmd/podman/common/completion.go index 6e6c33f9b..02369c74a 100644 --- a/cmd/podman/common/completion.go +++ b/cmd/podman/common/completion.go @@ -18,7 +18,6 @@ import ( "github.com/containers/podman/v4/libpod/define" "github.com/containers/podman/v4/libpod/events" "github.com/containers/podman/v4/pkg/domain/entities" - "github.com/containers/podman/v4/pkg/rootless" "github.com/containers/podman/v4/pkg/signal" systemdDefine "github.com/containers/podman/v4/pkg/systemd/define" "github.com/containers/podman/v4/pkg/util" @@ -54,7 +53,7 @@ func setupContainerEngine(cmd *cobra.Command) (entities.ContainerEngine, error) cobra.CompErrorln(err.Error()) return nil, err } - if !registry.IsRemote() && rootless.IsRootless() { + if !registry.IsRemote() { _, noMoveProcess := cmd.Annotations[registry.NoMoveProcess] err := containerEngine.SetupRootless(registry.Context(), noMoveProcess) diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go index 923d0517f..d2646aa43 100644 --- a/cmd/podman/common/create.go +++ b/cmd/podman/common/create.go @@ -849,9 +849,9 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions, _ = cmd.RegisterFlagCompletionFunc(cpuRtRuntimeFlagName, completion.AutocompleteNone) cpuSharesFlagName := "cpu-shares" - createFlags.Uint64Var( + createFlags.Uint64VarP( &cf.CPUShares, - cpuSharesFlagName, 0, + cpuSharesFlagName, "c", 0, "CPU shares (relative weight)", ) _ = cmd.RegisterFlagCompletionFunc(cpuSharesFlagName, completion.AutocompleteNone) diff --git a/cmd/podman/root.go b/cmd/podman/root.go index f28d92e2f..0520a0784 100644 --- a/cmd/podman/root.go +++ b/cmd/podman/root.go @@ -19,7 +19,6 @@ import ( "github.com/containers/podman/v4/pkg/checkpoint/crutils" "github.com/containers/podman/v4/pkg/domain/entities" "github.com/containers/podman/v4/pkg/parallel" - "github.com/containers/podman/v4/pkg/rootless" "github.com/containers/podman/v4/version" "github.com/sirupsen/logrus" "github.com/spf13/cobra" @@ -265,7 +264,7 @@ func persistentPreRunE(cmd *cobra.Command, args []string) error { // 2) running as non-root // 3) command doesn't require Parent Namespace _, found := cmd.Annotations[registry.ParentNSRequired] - if !registry.IsRemote() && rootless.IsRootless() && !found { + if !registry.IsRemote() && !found { _, noMoveProcess := cmd.Annotations[registry.NoMoveProcess] err := registry.ContainerEngine().SetupRootless(registry.Context(), noMoveProcess) if err != nil { diff --git a/cmd/podman/system/service_abi.go b/cmd/podman/system/service_abi.go index 6823d77ba..8d0240a8d 100644 --- a/cmd/podman/system/service_abi.go +++ b/cmd/podman/system/service_abi.go @@ -11,7 +11,6 @@ import ( "os" "path/filepath" - "github.com/containers/common/pkg/cgroups" "github.com/containers/podman/v4/cmd/podman/registry" api "github.com/containers/podman/v4/pkg/api/server" "github.com/containers/podman/v4/pkg/domain/entities" @@ -24,26 +23,6 @@ import ( "golang.org/x/sys/unix" ) -// maybeMoveToSubCgroup moves the current process in a sub cgroup when -// it is running in the root cgroup on a system that uses cgroupv2. -func maybeMoveToSubCgroup() error { - unifiedMode, err := cgroups.IsCgroup2UnifiedMode() - if err != nil { - return err - } - if !unifiedMode { - return nil - } - cgroup, err := utils.GetOwnCgroup() - if err != nil { - return err - } - if cgroup == "/" { - return utils.MoveUnderCgroupSubtree("init") - } - return nil -} - func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities.ServiceOptions) error { var ( listener net.Listener @@ -125,7 +104,7 @@ func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities return err } - if err := maybeMoveToSubCgroup(); err != nil { + if err := utils.MaybeMoveToSubCgroup(); err != nil { return err } diff --git a/docs/source/markdown/podman-container-clone.1.md b/docs/source/markdown/podman-container-clone.1.md index 6d552db75..c0c8d8631 100644 --- a/docs/source/markdown/podman-container-clone.1.md +++ b/docs/source/markdown/podman-container-clone.1.md @@ -61,7 +61,7 @@ The sum of all runtimes across containers cannot exceed the amount allotted to t This option is not supported on cgroups V2 systems. -#### **--cpu-shares**=*shares* +#### **--cpu-shares**, **-c**=*shares* CPU shares (relative weight) diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 9bee25220..69c28ebd2 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -201,7 +201,7 @@ The sum of all runtimes across containers cannot exceed the amount allotted to t This flag is not supported on cgroups V2 systems. -#### **--cpu-shares**=*shares* +#### **--cpu-shares**, **-c**=*shares* CPU shares (relative weight) diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index a6285d4e0..c3a8ab8ea 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -220,7 +220,7 @@ The sum of all runtimes across containers cannot exceed the amount allotted to t This flag is not supported on cgroups V2 systems. -#### **--cpu-shares**=*shares* +#### **--cpu-shares**, **-c**=*shares* CPU shares (relative weight). diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go index 0faae01c8..3389abd88 100644 --- a/pkg/domain/infra/abi/system.go +++ b/pkg/domain/infra/abi/system.go @@ -67,6 +67,22 @@ func (ic *ContainerEngine) Info(ctx context.Context) (*define.Info, error) { } func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool) error { + runsUnderSystemd := utils.RunsOnSystemd() + if !runsUnderSystemd { + isPid1 := os.Getpid() == 1 + if _, found := os.LookupEnv("container"); isPid1 || found { + if err := utils.MaybeMoveToSubCgroup(); err != nil { + // it is a best effort operation, so just print the + // error for debugging purposes. + logrus.Debugf("Could not move to subcgroup: %v", err) + } + } + } + + if !rootless.IsRootless() { + return nil + } + // do it only after podman has already re-execed and running with uid==0. hasCapSysAdmin, err := unshare.HasCapSysAdmin() if err != nil { @@ -82,7 +98,6 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool) if err != nil { return err } - runsUnderSystemd := utils.RunsOnSystemd() unitName := fmt.Sprintf("podman-%d.scope", os.Getpid()) if runsUnderSystemd || conf.Engine.CgroupManager == config.SystemdCgroupsManager { if err := utils.RunUnderSystemdScope(os.Getpid(), "user.slice", unitName); err != nil { diff --git a/test/e2e/build/Containerfile.with-platform b/test/e2e/build/Containerfile.with-platform index 3bb585a0a..0b030d13c 100644 --- a/test/e2e/build/Containerfile.with-platform +++ b/test/e2e/build/Containerfile.with-platform @@ -1 +1,2 @@ +ARG TARGETPLATFORM FROM --platform=$TARGETPLATFORM alpine diff --git a/test/e2e/run_cpu_test.go b/test/e2e/run_cpu_test.go index b21be5729..e57eb3b26 100644 --- a/test/e2e/run_cpu_test.go +++ b/test/e2e/run_cpu_test.go @@ -94,7 +94,7 @@ var _ = Describe("Podman run cpu", func() { Expect(result).Should(Exit(0)) Expect(result.OutputToString()).To(Equal("10000")) } else { - result := podmanTest.Podman([]string{"run", "--rm", "--cpu-shares=2", ALPINE, "cat", "/sys/fs/cgroup/cpu/cpu.shares"}) + result := podmanTest.Podman([]string{"run", "--rm", "-c", "2", ALPINE, "cat", "/sys/fs/cgroup/cpu/cpu.shares"}) result.WaitWithDefaultTimeout() Expect(result).Should(Exit(0)) Expect(result.OutputToString()).To(Equal("2")) diff --git a/utils/utils.go b/utils/utils.go index 997de150d..aa1c6a958 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -190,3 +190,33 @@ func MovePauseProcessToScope(pausePidPath string) { } } } + +var ( + maybeMoveToSubCgroupSync sync.Once + maybeMoveToSubCgroupSyncErr error +) + +// MaybeMoveToSubCgroup moves the current process in a sub cgroup when +// it is running in the root cgroup on a system that uses cgroupv2. +func MaybeMoveToSubCgroup() error { + maybeMoveToSubCgroupSync.Do(func() { + unifiedMode, err := cgroups.IsCgroup2UnifiedMode() + if err != nil { + maybeMoveToSubCgroupSyncErr = err + return + } + if !unifiedMode { + maybeMoveToSubCgroupSyncErr = nil + return + } + cgroup, err := GetOwnCgroup() + if err != nil { + maybeMoveToSubCgroupSyncErr = err + return + } + if cgroup == "/" { + maybeMoveToSubCgroupSyncErr = MoveUnderCgroupSubtree("init") + } + }) + return maybeMoveToSubCgroupSyncErr +} |