Merge pull request #15384 from sstosh/options-cgroupsv1-rootless

Warning messages are printed and ignored if we use an unsupported option on cgroups V1 rootless systems

docs/source/markdown/options/blkio-weight.md

@@ -1,3 +1,5 @@
 #### **--blkio-weight**=*weight*
 
 Block IO relative weight. The _weight_ is a value between **10** and **1000**.
+
+This option is not supported on cgroups V1 rootless systems.

docs/source/markdown/options/cpu-period.md

@@ -8,3 +8,5 @@ microseconds.
 On some systems, changing the resource limits may not be allowed for non-root
 users. For more details, see
 https://github.com/containers/podman/blob/main/troubleshooting.md#26-running-containers-with-resource-limits-fails-with-a-permissions-error
+
+This option is not supported on cgroups V1 rootless systems.

docs/source/markdown/options/cpu-quota.md

@@ -10,3 +10,5 @@ ends (controllable via **--cpu-period**).
 On some systems, changing the resource limits may not be allowed for non-root
 users. For more details, see
 https://github.com/containers/podman/blob/main/troubleshooting.md#26-running-containers-with-resource-limits-fails-with-a-permissions-error
+
+This option is not supported on cgroups V1 rootless systems.

docs/source/markdown/options/cpu-rt-period.md

@@ -4,4 +4,4 @@ Limit the CPU real-time period in microseconds.
 
 Limit the container's Real Time CPU usage. This option tells the kernel to restrict the container's Real Time CPU usage to the period specified.
 
-This option is not supported on cgroups V2 systems.
+This option is only supported on cgroups V1 rootful systems.

docs/source/markdown/options/cpu-rt-runtime.md

@@ -7,4 +7,4 @@ Period of 1,000,000us and Runtime of 950,000us means that this container could c
 
 The sum of all runtimes across containers cannot exceed the amount allotted to the parent cgroup.
 
-This option is not supported on cgroups V2 systems.
+This option is only supported on cgroups V1 rootful systems.

docs/source/markdown/options/cpu-shares.md

@@ -37,3 +37,5 @@ this can result in the following division of CPU shares:
 On some systems, changing the resource limits may not be allowed for non-root
 users. For more details, see
 https://github.com/containers/podman/blob/main/troubleshooting.md#26-running-containers-with-resource-limits-fails-with-a-permissions-error
+
+This option is not supported on cgroups V1 rootless systems.

docs/source/markdown/options/cpuset-cpus.md

@@ -7,3 +7,5 @@ CPUs in which to allow execution. Can be specified as a comma-separated list
 On some systems, changing the resource limits may not be allowed for non-root
 users. For more details, see
 https://github.com/containers/podman/blob/main/troubleshooting.md#26-running-containers-with-resource-limits-fails-with-a-permissions-error
+
+This option is not supported on cgroups V1 rootless systems.

docs/source/markdown/options/cpuset-mems.md

@@ -10,3 +10,5 @@ two memory nodes.
 On some systems, changing the resource limits may not be allowed for non-root
 users. For more details, see
 https://github.com/containers/podman/blob/main/troubleshooting.md#26-running-containers-with-resource-limits-fails-with-a-permissions-error
+
+This option is not supported on cgroups V1 rootless systems.

docs/source/markdown/options/memory-swappiness.md

@@ -2,4 +2,4 @@
 
 Tune a container's memory swappiness behavior. Accepts an integer between *0* and *100*.
 
-This flag is not supported on cgroups V2 systems.
+This flag is only supported on cgroups V1 rootful systems.

docs/source/markdown/podman-container-clone.1.md.in

@@ -40,6 +40,8 @@ Set a number of CPUs for the container that overrides the original containers CP
 This is shorthand
 for **--cpu-period** and **--cpu-quota**, so only **--cpus** or either both the **--cpu-period** and **--cpu-quota** options can be set.
 
+This option is not supported on cgroups V1 rootless systems.
+
 @@option cpuset-cpus
 
 If none are specified, the original container's CPUset is used.
@@ -54,10 +56,14 @@ If none are specified, the original container's CPU memory nodes are used.
 
 Limit read rate (bytes per second) from a device (e.g. --device-read-bps=/dev/sda:1mb).
 
+This option is not supported on cgroups V1 rootless systems.
+
 #### **--device-write-bps**=*path*
 
 Limit write rate (bytes per second) to a device (e.g. --device-write-bps=/dev/sda:1mb)
 
+This option is not supported on cgroups V1 rootless systems.
+
 #### **--force**, **-f**
 
 Force removal of the original container that we are cloning. Can only be used in conjunction with **--destroy**.
@@ -74,6 +80,8 @@ system's page size (the value would be very large, that's millions of trillions)
 
 If no memory limits are specified, the original container's will be used.
 
+This option is not supported on cgroups V1 rootless systems.
+
 #### **--memory-reservation**=*limit*
 
 Memory soft limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes))
@@ -84,6 +92,8 @@ reservation. So you should always set the value below **--memory**, otherwise th
 hard limit will take precedence. By default, memory reservation will be the same
 as memory limit from the container being cloned.
 
+This option is not supported on cgroups V1 rootless systems.
+
 #### **--memory-swap**=*limit*
 
 A limit value equal to memory plus swap. Must be used with the  **-m**
@@ -95,6 +105,8 @@ The format of `LIMIT` is `<number>[<unit>]`. Unit can be `b` (bytes),
 `k` (kibibytes), `m` (mebibytes), or `g` (gibibytes). If you don't specify a
 unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap.
 
+This option is not supported on cgroups V1 rootless systems.
+
 @@option memory-swappiness
 
 #### **--name**

docs/source/markdown/podman-create.1.md.in

@@ -129,6 +129,8 @@ On some systems, changing the CPU limits may not be allowed for non-root
 users. For more details, see
 https://github.com/containers/podman/blob/main/troubleshooting.md#26-running-containers-with-resource-limits-fails-with-a-permissions-error
 
+This option is not supported on cgroups V1 rootless systems.
+
 @@option cpuset-cpus
 
 @@option cpuset-mems
@@ -163,18 +165,26 @@ Add a rule to the cgroup allowed devices list. The rule is expected to be in the
 
 Limit read rate (bytes per second) from a device (e.g. --device-read-bps=/dev/sda:1mb)
 
+This option is not supported on cgroups V1 rootless systems.
+
 #### **--device-read-iops**=*path*
 
 Limit read rate (IO per second) from a device (e.g. --device-read-iops=/dev/sda:1000)
 
+This option is not supported on cgroups V1 rootless systems.
+
 #### **--device-write-bps**=*path*
 
 Limit write rate (bytes per second) to a device (e.g. --device-write-bps=/dev/sda:1mb)
 
+This option is not supported on cgroups V1 rootless systems.
+
 #### **--device-write-iops**=*path*
 
 Limit write rate (IO per second) to a device (e.g. --device-write-iops=/dev/sda:1000)
 
+This option is not supported on cgroups V1 rootless systems.
+
 #### **--disable-content-trust**
 
 This is a Docker specific option to disable image verification to a Docker
@@ -364,6 +374,8 @@ RAM. If a limit of 0 is specified (not using **-m**), the container's memory is
 not limited. The actual limit may be rounded up to a multiple of the operating
 system's page size (the value would be very large, that's millions of trillions).
 
+This option is not supported on cgroups V1 rootless systems.
+
 #### **--memory-reservation**=*limit*
 
 Memory soft limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes))
@@ -374,6 +386,8 @@ reservation. So you should always set the value below **--memory**, otherwise th
 hard limit will take precedence. By default, memory reservation will be the same
 as memory limit.
 
+This option is not supported on cgroups V1 rootless systems.
+
 #### **--memory-swap**=*limit*
 
 A limit value equal to memory plus swap. Must be used with the  **-m**
@@ -385,6 +399,8 @@ The format of `LIMIT` is `<number>[<unit>]`. Unit can be `b` (bytes),
 `k` (kibibytes), `m` (mebibytes), or `g` (gibibytes). If you don't specify a
 unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap.
 
+This option is not supported on cgroups V1 rootless systems.
+
 @@option memory-swappiness
 
 @@option mount

docs/source/markdown/podman-run.1.md.in

@@ -144,6 +144,8 @@ On some systems, changing the CPU limits may not be allowed for non-root
 users. For more details, see
 https://github.com/containers/podman/blob/main/troubleshooting.md#26-running-containers-with-resource-limits-fails-with-a-permissions-error
 
+This option is not supported on cgroups V1 rootless systems.
+
 @@option cpuset-cpus
 
 @@option cpuset-mems
@@ -194,18 +196,26 @@ Add a rule to the cgroup allowed devices list
 
 Limit read rate (in bytes per second) from a device (e.g. **--device-read-bps=/dev/sda:1mb**).
 
+This option is not supported on cgroups V1 rootless systems.
+
 #### **--device-read-iops**=*path:rate*
 
 Limit read rate (in IO operations per second) from a device (e.g. **--device-read-iops=/dev/sda:1000**).
 
+This option is not supported on cgroups V1 rootless systems.
+
 #### **--device-write-bps**=*path:rate*
 
 Limit write rate (in bytes per second) to a device (e.g. **--device-write-bps=/dev/sda:1mb**).
 
+This option is not supported on cgroups V1 rootless systems.
+
 #### **--device-write-iops**=*path:rate*
 
 Limit write rate (in IO operations per second) to a device (e.g. **--device-write-iops=/dev/sda:1000**).
 
+This option is not supported on cgroups V1 rootless systems.
+
 #### **--disable-content-trust**
 
 This is a Docker specific option to disable image verification to a Docker
@@ -375,6 +385,8 @@ RAM. If a limit of 0 is specified (not using **-m**), the container's memory is
 not limited. The actual limit may be rounded up to a multiple of the operating
 system's page size (the value would be very large, that's millions of trillions).
 
+This option is not supported on cgroups V1 rootless systems.
+
 #### **--memory-reservation**=*number[unit]*
 
 Memory soft limit. A _unit_ can be **b** (bytes), **k** (kibibytes), **m** (mebibytes), or **g** (gibibytes).
@@ -385,6 +397,8 @@ reservation. So you should always set the value below **--memory**, otherwise th
 hard limit will take precedence. By default, memory reservation will be the same
 as memory limit.
 
+This option is not supported on cgroups V1 rootless systems.
+
 #### **--memory-swap**=*number[unit]*
 
 A limit value equal to memory plus swap.
@@ -397,6 +411,8 @@ the value of **--memory**.
 
 Set _number_ to **-1** to enable unlimited swap.
 
+This option is not supported on cgroups V1 rootless systems.
+
 @@option memory-swappiness
 
 @@option mount

pkg/specgen/generate/validate.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/containers/common/pkg/cgroups"
 	"github.com/containers/common/pkg/sysinfo"
+	"github.com/containers/podman/v4/pkg/rootless"
 	"github.com/containers/podman/v4/pkg/specgen"
 	"github.com/containers/podman/v4/utils"
 )
@@ -19,6 +20,11 @@ func verifyContainerResourcesCgroupV1(s *specgen.SpecGenerator) ([]string, error
 
 	sysInfo := sysinfo.New(true)
 
+	if s.ResourceLimits != nil && rootless.IsRootless() {
+		s.ResourceLimits = nil
+		warnings = append(warnings, "Resource limits are not supported and ignored on cgroups V1 rootless systems")
+	}
+
 	if s.ResourceLimits == nil {
 		return warnings, nil
 	}

test/e2e/container_clone_test.go

@@ -87,6 +87,7 @@ var _ = Describe("Podman container clone", func() {
 	})
 
 	It("podman container clone resource limits override", func() {
+		SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1")
 		create := podmanTest.Podman([]string{"create", "--cpus=5", ALPINE})
 		create.WaitWithDefaultTimeout()
 		Expect(create).To(Exit(0))

test/e2e/create_test.go

@@ -438,6 +438,7 @@ var _ = Describe("Podman create", func() {
 	})
 
 	It("podman create with -m 1000000 sets swap to 2000000", func() {
+		SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1")
 		numMem := 1000000
 		ctrName := "testCtr"
 		session := podmanTest.Podman([]string{"create", "-t", "-m", fmt.Sprintf("%db", numMem), "--name", ctrName, ALPINE, "/bin/sh"})
@@ -452,6 +453,7 @@ var _ = Describe("Podman create", func() {
 	})
 
 	It("podman create --cpus 5 sets nanocpus", func() {
+		SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1")
 		numCpus := 5
 		nanoCPUs := numCpus * 1000000000
 		ctrName := "testCtr"

test/e2e/generate_kube_test.go

@@ -490,6 +490,7 @@ var _ = Describe("Podman generate kube", func() {
 	})
 
 	It("podman generate kube on pod with memory limit", func() {
+		SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1")
 		podName := "testMemoryLimit"
 		podSession := podmanTest.Podman([]string{"pod", "create", "--name", podName})
 		podSession.WaitWithDefaultTimeout()
@@ -515,6 +516,7 @@ var _ = Describe("Podman generate kube", func() {
 	})
 
 	It("podman generate kube on pod with cpu limit", func() {
+		SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1")
 		podName := "testCpuLimit"
 		podSession := podmanTest.Podman([]string{"pod", "create", "--name", podName})
 		podSession.WaitWithDefaultTimeout()

test/e2e/generate_spec_test.go

@@ -41,6 +41,7 @@ var _ = Describe("Podman generate spec", func() {
 	})
 
 	It("podman generate spec basic usage", func() {
+		SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1")
 		session := podmanTest.Podman([]string{"create", "--cpus", "5", "--name", "specgen", ALPINE})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
@@ -51,6 +52,7 @@ var _ = Describe("Podman generate spec", func() {
 	})
 
 	It("podman generate spec file", func() {
+		SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1")
 		session := podmanTest.Podman([]string{"create", "--cpus", "5", "--name", "specgen", ALPINE})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))

test/system/030-run.bats

@@ -56,7 +56,12 @@ echo $rand        |   0 | $rand
 
 @test "podman run --memory=0 runtime option" {
     run_podman run --memory=0 --rm $IMAGE echo hello
+    if is_rootless && ! is_cgroupsv2; then
+        is "${lines[0]}" "Resource limits are not supported and ignored on cgroups V1 rootless systems" "--memory is not supported"
+        is "${lines[1]}" "hello" "--memory is ignored"
+    else
         is "$output" "hello" "failed to run when --memory is set to 0"
+    fi
 }
 
 # 'run --preserve-fds' passes a number of additional file descriptors into the container