From 7b4afbf621a787ead00ae83bdaebabeec3b0c707 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Tue, 12 Jul 2022 11:47:30 +0200
Subject: podman: always call into SetupRootless

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 pkg/domain/infra/abi/system.go | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'pkg/domain')

diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go
index 0faae01c8..eed80dd79 100644
--- a/pkg/domain/infra/abi/system.go
+++ b/pkg/domain/infra/abi/system.go
@@ -67,6 +67,10 @@ func (ic *ContainerEngine) Info(ctx context.Context) (*define.Info, error) {
 }
 
 func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool) error {
+	if !rootless.IsRootless() {
+		return nil
+	}
+
 	// do it only after podman has already re-execed and running with uid==0.
 	hasCapSysAdmin, err := unshare.HasCapSysAdmin()
 	if err != nil {
-- 
cgit v1.2.3-54-g00ecf


From e3419c03245c5639d457cb27f4081cee400f3a36 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Tue, 12 Jul 2022 11:12:27 +0200
Subject: abi: create new cgroup when running in a container

if podman is running in the root cgroup, it will create a new
subcgroup and move itself there.

[NO NEW TESTS NEEDED] it needs nested podman

Closes: https://github.com/containers/podman/issues/14884

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 pkg/domain/infra/abi/system.go | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'pkg/domain')

diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go
index eed80dd79..3389abd88 100644
--- a/pkg/domain/infra/abi/system.go
+++ b/pkg/domain/infra/abi/system.go
@@ -67,6 +67,18 @@ func (ic *ContainerEngine) Info(ctx context.Context) (*define.Info, error) {
 }
 
 func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool) error {
+	runsUnderSystemd := utils.RunsOnSystemd()
+	if !runsUnderSystemd {
+		isPid1 := os.Getpid() == 1
+		if _, found := os.LookupEnv("container"); isPid1 || found {
+			if err := utils.MaybeMoveToSubCgroup(); err != nil {
+				// it is a best effort operation, so just print the
+				// error for debugging purposes.
+				logrus.Debugf("Could not move to subcgroup: %v", err)
+			}
+		}
+	}
+
 	if !rootless.IsRootless() {
 		return nil
 	}
@@ -86,7 +98,6 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool)
 			if err != nil {
 				return err
 			}
-			runsUnderSystemd := utils.RunsOnSystemd()
 			unitName := fmt.Sprintf("podman-%d.scope", os.Getpid())
 			if runsUnderSystemd || conf.Engine.CgroupManager == config.SystemdCgroupsManager {
 				if err := utils.RunUnderSystemdScope(os.Getpid(), "user.slice", unitName); err != nil {
-- 
cgit v1.2.3-54-g00ecf