From a15dfb3648b903fa61c299347b315ad8302d8e15 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 13 Jan 2022 14:51:06 -0500 Subject: Standardize on capatalized Cgroups Signed-off-by: Daniel J Walsh --- pkg/specgen/generate/oci.go | 6 +++--- pkg/specgen/podspecgen.go | 2 +- pkg/specgen/specgen.go | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) (limited to 'pkg/specgen') diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index ee3a990fc..f72ffe80c 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -152,7 +152,7 @@ func canMountSys(isRootless, isNewUserns bool, s *specgen.SpecGenerator) bool { return true } -func getCGroupPermissons(unmask []string) string { +func getCgroupPermissons(unmask []string) string { ro := "ro" rw := "rw" cgroup := "/sys/fs/cgroup" @@ -176,7 +176,7 @@ func getCGroupPermissons(unmask []string) string { // SpecGenToOCI returns the base configuration for the container. func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *libimage.Image, mounts []spec.Mount, pod *libpod.Pod, finalCmd []string, compatibleOptions *libpod.InfraInherit) (*spec.Spec, error) { - cgroupPerm := getCGroupPermissons(s.Unmask) + cgroupPerm := getCgroupPermissons(s.Unmask) g, err := generate.New("linux") if err != nil { @@ -357,7 +357,7 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt // set the devices cgroup when not running in a user namespace if !inUserNS && !s.Privileged { g.AddLinuxResourcesDevice(false, "", nil, nil, "rwm") - for _, dev := range s.DeviceCGroupRule { + for _, dev := range s.DeviceCgroupRule { g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access) } } diff --git a/pkg/specgen/podspecgen.go b/pkg/specgen/podspecgen.go index b6f2d6bf0..62b4725a7 100644 --- a/pkg/specgen/podspecgen.go +++ b/pkg/specgen/podspecgen.go @@ -183,7 +183,7 @@ type PodStorageConfig struct { // PodCgroupConfig contains configuration options about a pod's cgroups. // This will be expanded in future updates to pods. type PodCgroupConfig struct { - // CgroupParent is the parent for the CGroup that the pod will create. + // CgroupParent is the parent for the Cgroup that the pod will create. // This pod cgroup will, in turn, be the default cgroup parent for all // containers in the pod. // Optional. diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index 82721ba92..750fc875d 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -264,9 +264,9 @@ type ContainerStorageConfig struct { // Devices are devices that will be added to the container. // Optional. Devices []spec.LinuxDevice `json:"devices,omitempty"` - // DeviceCGroupRule are device cgroup rules that allow containers + // DeviceCgroupRule are device cgroup rules that allow containers // to use additional types of devices. - DeviceCGroupRule []spec.LinuxDeviceCgroup `json:"device_cgroup_rule,omitempty"` + DeviceCgroupRule []spec.LinuxDeviceCgroup `json:"device_cgroup_rule,omitempty"` // DevicesFrom is a way to ensure your container inherits device specific information from another container DevicesFrom []string `json:"devices_from,omitempty"` // HostDeviceList is used to recreate the mounted device on inherited containers @@ -390,7 +390,7 @@ type ContainerCgroupConfig struct { // CgroupsMode sets a policy for how cgroups will be created in the // container, including the ability to disable creation entirely. CgroupsMode string `json:"cgroups_mode,omitempty"` - // CgroupParent is the container's CGroup parent. + // CgroupParent is the container's Cgroup parent. // If not set, the default for the current cgroup driver will be used. // Optional. CgroupParent string `json:"cgroup_parent,omitempty"` -- cgit v1.2.3-54-g00ecf From 607cb80bf77642c02b80bff56aa4c3e396a91fa0 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 13 Jan 2022 14:52:56 -0500 Subject: Fix cgroup mode handling in api server Also change code to globably be consistent when refering to capatilized Cgroup. Fixed: https://github.com/containers/podman/issues/12550 Signed-off-by: Daniel J Walsh --- pkg/specgen/generate/container.go | 4 ++++ pkg/specgenutil/specgen.go | 9 +++++++++ test/e2e/containers_conf_test.go | 31 +++++++++++++++++++++++++++++++ 3 files changed, 44 insertions(+) (limited to 'pkg/specgen') diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go index 2c7b3c091..7b55a0cb3 100644 --- a/pkg/specgen/generate/container.go +++ b/pkg/specgen/generate/container.go @@ -229,6 +229,10 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat } } + if s.CgroupsMode == "" { + s.CgroupsMode = rtc.Cgroups() + } + // If caller did not specify Pids Limits load default if s.ResourceLimits == nil || s.ResourceLimits.Pids == nil { if s.CgroupsMode != "disabled" { diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go index bb9d5d1f9..59ac19c2c 100644 --- a/pkg/specgenutil/specgen.go +++ b/pkg/specgenutil/specgen.go @@ -8,6 +8,7 @@ import ( "strings" "time" + "github.com/containers/common/pkg/config" "github.com/containers/image/v5/manifest" "github.com/containers/podman/v3/cmd/podman/parse" "github.com/containers/podman/v3/libpod/define" @@ -490,6 +491,14 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions } s.CgroupParent = c.CgroupParent s.CgroupsMode = c.CgroupsMode + if s.CgroupsMode == "" { + rtc, err := config.Default() + if err != nil { + return err + } + + s.CgroupsMode = rtc.Cgroups() + } s.Groups = c.GroupAdd diff --git a/test/e2e/containers_conf_test.go b/test/e2e/containers_conf_test.go index a4fea0b9e..d6bf66a50 100644 --- a/test/e2e/containers_conf_test.go +++ b/test/e2e/containers_conf_test.go @@ -484,4 +484,35 @@ var _ = Describe("Podman run", func() { Expect(result).Should(Exit(125)) Expect(result.ErrorToString()).To(ContainSubstring(errorString)) }) + + It("podman containers.conf cgroups=disabled", func() { + if !strings.Contains(podmanTest.OCIRuntime, "crun") { + Skip("FIXME: requires crun") + } + conffile := filepath.Join(podmanTest.TempDir, "container.conf") + + err := ioutil.WriteFile(conffile, []byte("[containers]\ncgroups=\"disabled\"\n"), 0755) + Expect(err).To(BeNil()) + + result := podmanTest.Podman([]string{"create", ALPINE, "true"}) + result.WaitWithDefaultTimeout() + Expect(result).Should(Exit(0)) + + inspect := podmanTest.Podman([]string{"inspect", "--format", "{{ .HostConfig.Cgroups }}", result.OutputToString()}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.OutputToString()).To(Not(Equal("disabled"))) + + os.Setenv("CONTAINERS_CONF", conffile) + if IsRemote() { + podmanTest.RestartRemoteService() + } + result = podmanTest.Podman([]string{"create", ALPINE, "true"}) + result.WaitWithDefaultTimeout() + Expect(result).Should(Exit(0)) + + inspect = podmanTest.Podman([]string{"inspect", "--format", "{{ .HostConfig.Cgroups }}", result.OutputToString()}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.OutputToString()).To(Equal("disabled")) + }) + }) -- cgit v1.2.3-54-g00ecf