opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-05-21 00:56:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

rootless container creation settings

Browse Source 
when running container creation as rootless on the compatibility layer,
we need to make sure settings are not being done for memory and memory
swappiness.

Signed-off-by: baude <bbaude@redhat.com>
This commit is contained in:
baude
2020-11-04 11:50:18 -06:00
parent 4d013caffc
commit 71a4676404
3 changed files with 68 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
cmd/podman/common/create_opts.go
View File

@ -7,7 +7,9 @@ import (
"strings"
"github.com/containers/podman/v2/pkg/api/handlers"
"github.com/containers/podman/v2/pkg/cgroups"
"github.com/containers/podman/v2/pkg/domain/entities"
"github.com/containers/podman/v2/pkg/rootless"
"github.com/containers/podman/v2/pkg/specgen"
)
@ -129,7 +131,7 @@ func stringMaptoArray(m map[string]string) []string {
// ContainerCreateToContainerCLIOpts converts a compat input struct to cliopts so it can be converted to
// a specgen spec.
func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig) (*ContainerCLIOpts, []string, error) {
func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig, cgroupsManager string) (*ContainerCLIOpts, []string, error) {
var (
capAdd []string
cappDrop []string
@ -346,16 +348,23 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig) (*Cont
Systemd: "true", // podman default
TmpFS: stringMaptoArray(cc.HostConfig.Tmpfs),
TTY: cc.Config.Tty,
//Ulimit: cc.HostConfig.Ulimits, // ask dan, no documented format
Ulimit: []string{"nproc=4194304:4194304"},
User: cc.Config.User,
UserNS: string(cc.HostConfig.UsernsMode),
UTS: string(cc.HostConfig.UTSMode),
Mount: mounts,
Volume: volumes,
VolumesFrom: cc.HostConfig.VolumesFrom,
Workdir: cc.Config.WorkingDir,
Net: &netInfo,
User: cc.Config.User,
UserNS: string(cc.HostConfig.UsernsMode),
UTS: string(cc.HostConfig.UTSMode),
Mount: mounts,
Volume: volumes,
VolumesFrom: cc.HostConfig.VolumesFrom,
Workdir: cc.Config.WorkingDir,
Net: &netInfo,
}
if !rootless.IsRootless() {
var ulimits []string
if len(cc.HostConfig.Ulimits) > 0 {
for _, ul := range cc.HostConfig.Ulimits {
ulimits = append(ulimits, ul.String())
}
cliOpts.Ulimit = ulimits
}
}
if len(cc.HostConfig.BlkioWeightDevice) > 0 {
@ -377,7 +386,11 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig) (*Cont
cliOpts.MemoryReservation = strconv.Itoa(int(cc.HostConfig.MemoryReservation))
}
if cc.HostConfig.MemorySwap > 0 {
cgroupsv2, err := cgroups.IsCgroup2UnifiedMode()
if err != nil {
return nil, nil, err
}
if cc.HostConfig.MemorySwap > 0 && (!rootless.IsRootless() || (rootless.IsRootless() && cgroupsv2)) {
cliOpts.MemorySwap = strconv.Itoa(int(cc.HostConfig.MemorySwap))
}
@ -401,8 +414,10 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig) (*Cont
cliOpts.Restart = policy
}
if cc.HostConfig.MemorySwappiness != nil {
if cc.HostConfig.MemorySwappiness != nil && (!rootless.IsRootless() || rootless.IsRootless() && cgroupsv2 && cgroupsManager == "systemd") {
cliOpts.MemorySwappiness = *cc.HostConfig.MemorySwappiness
} else {
cliOpts.MemorySwappiness = -1
}
if cc.HostConfig.OomKillDisable != nil {
cliOpts.OOMKillDisable = *cc.HostConfig.OomKillDisable

7
pkg/api/handlers/compat/containers_create.go
View File

@ -38,6 +38,11 @@ func CreateContainer(w http.ResponseWriter, r *http.Request) {
utils.Error(w, utils.ErrLinkNotSupport.Error(), http.StatusBadRequest, errors.Wrapf(utils.ErrLinkNotSupport, "bad parameter"))
return
}
rtc, err := runtime.GetConfig()
if err != nil {
utils.Error(w, "unable to obtain runtime config", http.StatusInternalServerError, errors.Wrap(err, "unable to get runtime config"))
}
newImage, err := runtime.ImageRuntime().NewFromLocal(input.Image)
if err != nil {
if errors.Cause(err) == define.ErrNoSuchImage {
@ -50,7 +55,7 @@ func CreateContainer(w http.ResponseWriter, r *http.Request) {
}
// Take input structure and convert to cliopts
cliOpts, args, err := common.ContainerCreateToContainerCLIOpts(input)
cliOpts, args, err := common.ContainerCreateToContainerCLIOpts(input, rtc.Engine.CgroupManager)
if err != nil {
utils.Error(w, "Something went wrong.", http.StatusInternalServerError, errors.Wrap(err, "make cli opts()"))
return

35
pkg/specgen/container_validate.go
View File

@ -1,11 +1,13 @@
package specgen
import (
"strconv"
"strings"
"github.com/containers/podman/v2/libpod/define"
"github.com/containers/podman/v2/pkg/rootless"
"github.com/containers/podman/v2/pkg/util"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
)
@ -144,7 +146,38 @@ func (s *SpecGenerator) Validate() error {
//default:
// return errors.New("unrecognized option for cgroups; supported are 'default', 'disabled', 'no-conmon'")
//}
invalidUlimitFormatError := errors.New("invalid default ulimit definition must be form of type=soft:hard")
//set ulimits if not rootless
if len(s.ContainerResourceConfig.Rlimits) < 1 && !rootless.IsRootless() {
// Containers common defines this as something like nproc=4194304:4194304
tmpnproc := containerConfig.Ulimits()
var posixLimits []specs.POSIXRlimit
for _, limit := range tmpnproc {
limitSplit := strings.SplitN(limit, "=", 2)
if len(limitSplit) < 2 {
return errors.Wrapf(invalidUlimitFormatError, "missing = in %s", limit)
}
valueSplit := strings.SplitN(limitSplit[1], ":", 2)
if len(valueSplit) < 2 {
return errors.Wrapf(invalidUlimitFormatError, "missing : in %s", limit)
}
hard, err := strconv.Atoi(valueSplit[0])
if err != nil {
return err
}
soft, err := strconv.Atoi(valueSplit[1])
if err != nil {
return err
}
posixLimit := specs.POSIXRlimit{
Type: limitSplit[0],
Hard: uint64(hard),
Soft: uint64(soft),
}
posixLimits = append(posixLimits, posixLimit)
}
s.ContainerResourceConfig.Rlimits = posixLimits
}
// Namespaces
if err := s.UtsNS.validate(); err != nil {
return err