From 4b3b944733660456804b9bb0a3a723dd909739b5 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Tue, 21 Feb 2023 11:30:39 +0100 Subject: [PATCH] system: add warning when running rootless on cgroupv1 when running rootless on cgroupv1, Podman+OCI runtime do not setup a separate cgroup for the container. Spawned containers will run in the same cgroup as the podman system service process, thus will be killed when the cgroup is destroyed, as it is the case when running as a systemd service. [NO NEW TESTS NEEDED] Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2170444 Signed-off-by: Giuseppe Scrivano --- cmd/podman/system/service_abi.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/cmd/podman/system/service_abi.go b/cmd/podman/system/service_abi.go index 3ce1c7f66e..e08d3b9558 100644 --- a/cmd/podman/system/service_abi.go +++ b/cmd/podman/system/service_abi.go @@ -11,10 +11,12 @@ import ( "os" "path/filepath" + "github.com/containers/common/pkg/cgroups" "github.com/containers/podman/v4/cmd/podman/registry" api "github.com/containers/podman/v4/pkg/api/server" "github.com/containers/podman/v4/pkg/domain/entities" "github.com/containers/podman/v4/pkg/domain/infra" + "github.com/containers/podman/v4/pkg/rootless" "github.com/containers/podman/v4/pkg/servicereaper" "github.com/containers/podman/v4/utils" "github.com/coreos/go-systemd/v22/activation" @@ -106,6 +108,11 @@ func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities // Close the fd right away to not leak it during the entire time of the service. devNullfile.Close() + cgroupv2, _ := cgroups.IsCgroup2UnifiedMode() + if rootless.IsRootless() && !cgroupv2 { + logrus.Warnf("Running 'system service' in rootless mode without cgroup v2, containers won't survive a 'system service' restart") + } + if err := utils.MaybeMoveToSubCgroup(); err != nil { // it is a best effort operation, so just print the // error for debugging purposes.