ignition, machine: delegate cpu,io cgroup controllers to machine's default users

Makes sure that ignition setups up systemd config so cgroup controllers like `cpu, io` are also delegated to `non-root` along with `memory, pid`. This allows general users of `podman` on `macOS` and `podman-remote` to do operations which are dependent on `cpu, io` cgroup controllers. [NO TESTS NEEDED] [NO NEW TESTS NEEDED] We don't have a CI infra to test this, please pull the tree and run `podman info` inside the machine to confirm. Signed-off-by: Aditya R <arajan@redhat.com>
2025-06-25 03:52:15 +08:00 · 2022-01-28 14:46:22 +05:30
parent 935ae1bfd0
commit 6f2b027b38
1 changed files with 22 additions and 0 deletions
--- a/pkg/machine/ignition.go
+++ b/pkg/machine/ignition.go
@ -246,6 +246,10 @@ netns="bridge"
 `
 	rootContainers := `[engine]
 machine_enabled=true
+`
+
+	delegateConf := `[Service]
+Delegate=memory pids cpu io
 `

 	// Add a fake systemd service to get the user socket rolling
@ -280,6 +284,24 @@ machine_enabled=true
 			Mode: intToPtr(0744),
 		},
 	})
+
+	// Set delegate.conf so cpu,io subsystem is delegated to non-root users as well for cgroupv2
+	// by default
+	files = append(files, File{
+		Node: Node{
+			Group: getNodeGrp("root"),
+			Path:  "/etc/systemd/system/user@.service.d/delegate.conf",
+			User:  getNodeUsr("root"),
+		},
+		FileEmbedded1: FileEmbedded1{
+			Append: nil,
+			Contents: Resource{
+				Source: encodeDataURLPtr(delegateConf),
+			},
+			Mode: intToPtr(0644),
+		},
+	})
+
 	// Add a file into linger
 	files = append(files, File{
 		Node: Node{