mirror of
https://github.com/containers/podman.git
synced 2025-05-20 16:47:39 +08:00
Document how to enable CPU limit delegation
Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
This commit is contained in:
Jordan Christiansen
@ -115,6 +115,10 @@ Limit the CPU CFS (Completely Fair Scheduler) period
|
||||
|
||||
Limit the container's CPU usage. This flag tell the kernel to restrict the container's CPU usage to the period you specify.
|
||||
|
||||
On some systems, changing the CPU limits may not be allowed for non-root
|
||||
users. For more details, see
|
||||
https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error
|
||||
|
||||
**--cpu-quota**=*limit*
|
||||
|
||||
Limit the CPU CFS (Completely Fair Scheduler) quota
|
||||
@ -123,6 +127,10 @@ Limit the container's CPU usage. By default, containers run with the full
|
||||
CPU resource. This flag tell the kernel to restrict the container's CPU usage
|
||||
to the quota you specify.
|
||||
|
||||
On some systems, changing the CPU limits may not be allowed for non-root
|
||||
users. For more details, see
|
||||
https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error
|
||||
|
||||
**--cpu-shares**, **-c**=*shares*
|
||||
|
||||
CPU shares (relative weight)
|
||||
@ -787,9 +795,9 @@ registries.conf is the configuration file which specifies which container regist
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
If you are using a useradd command within a Containerfile with a large UID/GID, it will create a large sparse file `/var/log/lastlog`. This can cause the build to hang forever. Go language does not support sparse files correctly, which can lead to some huge files being created in your container image.
|
||||
### lastlog sparse file
|
||||
|
||||
### Solution
|
||||
If you are using a useradd command within a Containerfile with a large UID/GID, it will create a large sparse file `/var/log/lastlog`. This can cause the build to hang forever. Go language does not support sparse files correctly, which can lead to some huge files being created in your container image.
|
||||
|
||||
If you are using `useradd` within your build script, you should pass the `--no-log-init or -l` option to the `useradd` command. This option tells useradd to stop creating the lastlog file.
|
||||
|
||||
|
||||
@ -107,6 +107,10 @@ Limit the CPU CFS (Completely Fair Scheduler) period
|
||||
|
||||
Limit the container's CPU usage. This flag tell the kernel to restrict the container's CPU usage to the period you specify.
|
||||
|
||||
On some systems, changing the CPU limits may not be allowed for non-root
|
||||
users. For more details, see
|
||||
https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error
|
||||
|
||||
**--cpu-quota**=*limit*
|
||||
|
||||
Limit the CPU CFS (Completely Fair Scheduler) quota
|
||||
@ -115,6 +119,10 @@ Limit the container's CPU usage. By default, containers run with the full
|
||||
CPU resource. This flag tell the kernel to restrict the container's CPU usage
|
||||
to the quota you specify.
|
||||
|
||||
On some systems, changing the CPU limits may not be allowed for non-root
|
||||
users. For more details, see
|
||||
https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error
|
||||
|
||||
**--cpu-rt-period**=*microseconds*
|
||||
|
||||
Limit the CPU real-time period in microseconds
|
||||
@ -171,6 +179,10 @@ PID container CPU CPU share
|
||||
|
||||
Number of CPUs. The default is *0.0* which means no limit.
|
||||
|
||||
On some systems, changing the CPU limits may not be allowed for non-root
|
||||
users. For more details, see
|
||||
https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error
|
||||
|
||||
**--cpuset-cpus**=*cpus*
|
||||
|
||||
CPUs in which to allow execution (0-3, 0,1)
|
||||
|
||||
@ -120,6 +120,10 @@ Write the pid of the **conmon** process to a file. As **conmon** runs in a separ
|
||||
|
||||
Limit the container's CPU usage by setting CPU CFS (Completely Fair Scheduler) period.
|
||||
|
||||
On some systems, changing the CPU limits may not be allowed for non-root
|
||||
users. For more details, see
|
||||
https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error
|
||||
|
||||
**--cpu-quota**=*limit*
|
||||
|
||||
Limit the CPU CFS (Completely Fair Scheduler) quota.
|
||||
@ -128,6 +132,10 @@ Limit the container's CPU usage. By default, containers run with the full
|
||||
CPU resource. This flag tell the kernel to restrict the container's CPU usage
|
||||
to the quota you specify.
|
||||
|
||||
On some systems, changing the CPU limits may not be allowed for non-root
|
||||
users. For more details, see
|
||||
https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error
|
||||
|
||||
**--cpu-rt-period**=*microseconds*
|
||||
|
||||
Limit the CPU real-time period in microseconds.
|
||||
@ -182,6 +190,10 @@ division of CPU shares:
|
||||
|
||||
Number of CPUs. The default is *0.0* which means no limit.
|
||||
|
||||
On some systems, changing the CPU limits may not be allowed for non-root
|
||||
users. For more details, see
|
||||
https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error
|
||||
|
||||
**--cpuset-cpus**=*number*
|
||||
|
||||
CPUs in which to allow execution. Can be specified as a comma-separated list
|
||||
|
||||
@ -644,3 +644,39 @@ $ podman run --read-only --rootfs /path/to/rootfs ....
|
||||
|
||||
Another option would be to create an overlay file system on the directory as a lower and then
|
||||
then allow podman to create the files on the upper.
|
||||
|
||||
### 26) Running containers with CPU limits fails with a permissions error
|
||||
|
||||
On some systemd-based systems, non-root users do not have CPU limit delegation
|
||||
permissions. This causes setting CPU limits to fail.
|
||||
|
||||
#### Symptom
|
||||
|
||||
Running a container with a CPU limit options such as `--cpus`, `--cpu-period`,
|
||||
or `--cpu-quota` will fail with an error similar to the following:
|
||||
|
||||
Error: opening file `cpu.max` for writing: Permission denied: OCI runtime permission denied error
|
||||
|
||||
This means that CPU limit delegation is not enabled for the current user.
|
||||
|
||||
#### Solution
|
||||
|
||||
You can verify whether CPU limit delegation is enabled by running the following command:
|
||||
|
||||
cat "/sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.controllers"
|
||||
|
||||
Example output might be:
|
||||
|
||||
memory pids
|
||||
|
||||
In the above example, `cpu` is not listed, which means the curent user does
|
||||
not have permission to set CPU limits.
|
||||
|
||||
If you want to enable CPU limit delegation for all users, you can create the
|
||||
file `/etc/systemd/system/user@.service.d/delegate.conf` with the contents:
|
||||
|
||||
[Service]
|
||||
Delegate=memory pids cpu io
|
||||
|
||||
After logging out and loggin back in, you should have permission to set CPU
|
||||
limits.
|
||||
|
||||
Reference in New Issue
Block a user