system: add warning when running rootless on cgroupv1

when running rootless on cgroupv1, Podman+OCI runtime do not setup a separate cgroup for the container. Spawned containers will run in the same cgroup as the podman system service process, thus will be killed when the cgroup is destroyed, as it is the case when running as a systemd service. [NO NEW TESTS NEEDED] Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2170444 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-06-23 02:18:13 +08:00 · 2023-02-21 11:30:39 +01:00
parent afa0167d47
commit 4b3b944733
1 changed files with 7 additions and 0 deletions
--- a/cmd/podman/system/service_abi.go
+++ b/cmd/podman/system/service_abi.go
@ -11,10 +11,12 @@ import (
 	"os"
 	"path/filepath"

+	"github.com/containers/common/pkg/cgroups"
 	"github.com/containers/podman/v4/cmd/podman/registry"
 	api "github.com/containers/podman/v4/pkg/api/server"
 	"github.com/containers/podman/v4/pkg/domain/entities"
 	"github.com/containers/podman/v4/pkg/domain/infra"
+	"github.com/containers/podman/v4/pkg/rootless"
 	"github.com/containers/podman/v4/pkg/servicereaper"
 	"github.com/containers/podman/v4/utils"
 	"github.com/coreos/go-systemd/v22/activation"
@ -106,6 +108,11 @@ func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities
 	// Close the fd right away to not leak it during the entire time of the service.
 	devNullfile.Close()

+	cgroupv2, _ := cgroups.IsCgroup2UnifiedMode()
+	if rootless.IsRootless() && !cgroupv2 {
+		logrus.Warnf("Running 'system service' in rootless mode without cgroup v2, containers won't survive a 'system service' restart")
+	}
+
 	if err := utils.MaybeMoveToSubCgroup(); err != nil {
 		// it is a best effort operation, so just print the
 		// error for debugging purposes.