podman: add new option --cgroups=no-conmon

it allows to disable cgroups creation only for the conmon process. A new cgroup is created for the container payload. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-10-19 12:12:36 +08:00 · 2020-01-14 15:05:12 +01:00
parent 30245affe9
commit ba0a6f34e3
8 changed files with 31 additions and 19 deletions
--- a/cmd/podman/common.go
+++ b/cmd/podman/common.go
@ -158,7 +158,7 @@ func getCreateFlags(c *cliconfig.PodmanCommand) {
 	)
 	createFlags.String(
 		"cgroups", "enabled",
-		"control container cgroup configuration",
+		`control container cgroup configuration ("enabled"|"disabled"|"no-conmon")`,
 	)
 	createFlags.String(
 		"cgroup-parent", "",
--- a/docs/source/markdown/podman-create.1.md
+++ b/docs/source/markdown/podman-create.1.md
@ -78,8 +78,9 @@ If the host uses cgroups v1, the default is set to **host**.  On cgroups v2 the
 **--cgroups**=*mode*

 Determines whether the container will create CGroups.
-Valid values are *enabled* and *disabled*, which the default being *enabled*.
+Valid values are *enabled*, *disabled*, *no-conmon*, which the default being *enabled*.
 The *disabled* option will force the container to not create CGroups, and thus conflicts with CGroup options (**--cgroupns** and **--cgroup-parent**).
+The *no-conmon* option disables a new CGroup only for the conmon process.

 **--cgroup-parent**=*path*

--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@ -92,8 +92,9 @@ If the host uses cgroups v1, the default is set to **host**.  On cgroups v2 the
 **--cgroups**=*mode*

 Determines whether the container will create CGroups.
-Valid values are *enabled* and *disabled*, which the default being *enabled*.
+Valid values are *enabled*, *disabled*, *no-conmon*, which the default being *enabled*.
 The *disabled* option will force the container to not create CGroups, and thus conflicts with CGroup options (**--cgroupns** and **--cgroup-parent**).
+The *no-conmon* option disables a new CGroup only for the conmon process.

 **--cgroup-parent**=*cgroup*

--- a/libpod/container.go
+++ b/libpod/container.go
@ -373,8 +373,11 @@ type ContainerConfig struct {
 	// Time container was created
 	CreatedTime time.Time `json:"createdTime"`
 	// NoCgroups indicates that the container will not create CGroups. It is
-	// incompatible with CgroupParent.
+	// incompatible with CgroupParent.  Deprecated in favor of CgroupsMode.
 	NoCgroups bool `json:"noCgroups,omitempty"`
+	// CgroupsMode indicates how the container will create cgroups
+	// (disabled, no-conmon, enabled).  It supersedes NoCgroups.
+	CgroupsMode string `json:"cgroupsMode,omitempty"`
 	// Cgroup parent of the container
 	CgroupParent string `json:"cgroupParent"`
 	// LogPath log location
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@ -1297,11 +1297,17 @@ func startCommandGivenSelinux(cmd *exec.Cmd) error {
 // it then signals for conmon to start by sending nonse data down the start fd
 func (r *ConmonOCIRuntime) moveConmonToCgroupAndSignal(ctr *Container, cmd *exec.Cmd, startFd *os.File) error {
 	mustCreateCgroup := true
-	// If cgroup creation is disabled - just signal.
+
 	if ctr.config.NoCgroups {
 		mustCreateCgroup = false
 	}

+	// If cgroup creation is disabled - just signal.
+	switch ctr.config.CgroupsMode {
+	case "disabled", "no-conmon":
+		mustCreateCgroup = false
+	}
+
 	if mustCreateCgroup {
 		cgroupParent := ctr.CgroupParent()
 		if r.cgroupManager == define.SystemdCgroupsManager {
--- a/libpod/options.go
+++ b/libpod/options.go
@ -1078,25 +1078,26 @@ func WithLogTag(tag string) CtrCreateOption {

 }

-// WithNoCgroups disables the creation of CGroups for the new container.
-func WithNoCgroups() CtrCreateOption {
+// WithCgroupsMode disables the creation of CGroups for the conmon process.
+func WithCgroupsMode(mode string) CtrCreateOption {
 	return func(ctr *Container) error {
 		if ctr.valid {
 			return define.ErrCtrFinalized
 		}

-		if ctr.config.CgroupParent != "" {
-			return errors.Wrapf(define.ErrInvalidArg, "NoCgroups conflicts with CgroupParent")
-		}
-
-		if ctr.config.PIDNsCtr != "" {
-			return errors.Wrapf(define.ErrInvalidArg, "NoCgroups requires a private PID namespace and cannot be used when PID namespace is shared with another container")
-		}
-
+		switch mode {
+		case "disabled":
 			ctr.config.NoCgroups = true
+			ctr.config.CgroupsMode = mode
+		case "enabled", "no-conmon":
+			ctr.config.CgroupsMode = mode
+		default:
+			return errors.Wrapf(define.ErrInvalidArg, "Invalid cgroup mode %q", mode)
+		}

 		return nil
 	}
+
 }

 // WithCgroupParent sets the Cgroup Parent of the new container.
--- a/pkg/spec/namespaces.go
+++ b/pkg/spec/namespaces.go
@ -213,8 +213,8 @@ func (c *CgroupConfig) ToCreateOptions(runtime *libpod.Runtime) ([]libpod.CtrCre
 		options = append(options, libpod.WithCgroupParent(c.CgroupParent))
 	}

-	if c.Cgroups == "disabled" {
-		options = append(options, libpod.WithNoCgroups())
+	if c.Cgroups != "" {
+		options = append(options, libpod.WithCgroupsMode(c.Cgroups))
 	}

 	return options, nil
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@ -358,10 +358,10 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 			return nil, errors.New("cannot specify resource limits when cgroups are disabled is specified")
 		}
 		configSpec.Linux.Resources = &spec.LinuxResources{}
-	case "enabled", "":
+	case "enabled", "no-conmon", "":
 		// Do nothing
 	default:
-		return nil, errors.New("unrecognized option for cgroups; supported are 'default' and 'disabled'")
+		return nil, errors.New("unrecognized option for cgroups; supported are 'default', 'disabled', 'no-conmon'")
 	}

 	// Add annotations