Closed eetiez closed 5 months ago
a rootless user cannot configure that. You need to configure your system to delegate the cpu controller to an unprivileged user.
You need something like:
# cat > /etc/systemd/system/user@.service.d/delegate-cgroups.conf << EOF
[Service]
Delegate=cpu cpuset io memory pids
EOF
Thanks for the answer. I'm however still unable to delegate the cpu
controller to the user running the container.
Based on your answer, I tried to reproduce the container execution via systemd discussed here. I noticed that the file /sys/fs/cgroup/cgroup.subtree_control
is empty which could explain why I am unable to add cpu
controller to a cgroup child. Adding cpu
via echo "+cpu" >> /sys/fs/cgroup/cgroup.subtree_control
works but it doesn't help in a cgroup child as the same error discussed above occurred...
My mistake, everything was finally working well. I wasn't looking in the right file : you must check controller delegation in /sys/fs/cgroup/cgroup.controllers
. All the needed controllers are available inside the container with podman default configuration on Fedora 39.
The errors mentioned above were due to a wrong manipulation of cgroup v2 : you cannot delegate controller to child cgroup if there are processes inside the root cgroup (check cgroup.procs
).
So I close this issue.
Issue Description
While I was launching a rootless container with a non-root process trying to set cpu limits via cgroupfs, I noticed that the process failed to start with the following error :
I reproduced the steps manually and I can't find any way to configure cpu limits in a cgroup child via cgroupfs inside a podman rootless container. The /sys/fs/cgroup is writable.
Steps to reproduce the issue
Steps to reproduce the issue
/sys/fs/cgroup
writable :test
:test
user :test
userDescribe the results you received
The steps above produce the following error :
Describe the results you expected
It should add the
cpu
controller to the/sys/fs/cgroup/test/cgroup.subtree_control
podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
No
Additional environment details
No response
Additional information
The steps above produce the same error when the cgroup child is owned by root user and the command to add controller executed by root user.