rootless: automatically create a systemd scope by giuseppe · Pull Request #3959 · containers/podman

giuseppe · 2019-09-06T14:18:00Z

when running in rootless mode and using systemd as cgroup manager create automatically a systemd scope.

This solves a couple of issues:

on cgroup v2 it is necessary that a process before it can moved to a different cgroup tree must be in a directory owned by the unprivileged user. This is not always true, e.g. when creating a session with su -l.

Closes: #3937

Also, for running systemd in a container it was before necessary to specify "systemd-run --scope --user podman ...", now this is done automatically as part of this PR.

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

openshift-ci-robot · 2019-09-06T14:18:02Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [giuseppe]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

mheon · 2019-09-06T14:20:24Z

Thanks for spotting it :) got confused. Dropped the patch

mheon · 2019-09-06T14:21:12Z

Should this be unconditional? I feel like we only want it with systemd CGroups.

we also want this when using cgroupfs. It solves the problem of running systemd containers on cgroups v1 with: systemd-run --scope --user podman ...

If it fails though, we just print a debug message

rhatdan · 2019-09-06T14:28:38Z

LGTM

rhatdan · 2019-09-06T14:29:15Z

@msekletar PTAL

TomSweeneyRedHat · 2019-09-09T12:39:21Z

LGTM assuming happy tests

giuseppe · 2019-09-09T16:00:50Z

tests are finally passing

mheon · 2019-09-09T19:39:53Z

I don't like increasing our dependency on systemd; I'd like to still be able to run in environments where it's not available. Still, this doesn't seem harmful... LGTM

giuseppe · 2019-09-10T05:57:21Z

I've addressed the comments and pushed a new version.

I don't like increasing our dependency on systemd; I'd like to still be able to run in environments where it's not available. Still, this doesn't seem harmful... LGTM

I agree, Podman should work fine without systemd. If it fails to create the scope we only give a warning (if the cgroups manager is systemd) or a debug message (with cgroupfs).

rh-atomic-bot · 2019-09-10T23:00:01Z

☔ The latest upstream changes (presumably #3581) made this pull request unmergeable. Please resolve the merge conflicts.

rhatdan · 2019-09-11T14:36:52Z

@giuseppe needs a rebase.

when running as rootless, use the user session bus. It is already implemented in the pkg/cgroups so just re-use it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

when running in rootless mode and using systemd as cgroup manager create automatically a systemd scope when the user doesn't own the current cgroup. This solves a couple of issues: on cgroup v2 it is necessary that a process before it can moved to a different cgroup tree must be in a directory owned by the unprivileged user. This is not always true, e.g. when creating a session with su -l. Closes: containers#3937 Also, for running systemd in a container it was before necessary to specify "systemd-run --scope --user podman ...", now this is done automatically as part of this PR. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

giuseppe · 2019-09-12T08:07:23Z

rebased and tests are green

mheon · 2019-09-12T16:53:36Z

/lgtm

openshift-ci-robot requested review from jwhonce and umohnani8 September 6, 2019 14:18

openshift-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M labels Sep 6, 2019

giuseppe mentioned this pull request Sep 6, 2019

rawhide (crun): rootless(?): podman exec broken: OCI runtime error #3937

Closed

mheon reviewed Sep 6, 2019

View reviewed changes

giuseppe force-pushed the rootless-use-systemd-scope branch from 1021a9f to cb89afa Compare September 6, 2019 14:24

giuseppe force-pushed the rootless-use-systemd-scope branch from cb89afa to 460628a Compare September 9, 2019 09:12

openshift-ci-robot added size/L and removed size/M labels Sep 9, 2019

giuseppe force-pushed the rootless-use-systemd-scope branch 3 times, most recently from 7ea517a to 8a55f3d Compare September 9, 2019 11:03

rhatdan reviewed Sep 9, 2019

View reviewed changes

Comment thread pkg/cgroups/cgroups_supported.go Outdated

Comment thread cmd/podman/main_local.go Outdated

rhatdan added the Release Notes 1.5.2 label Sep 9, 2019

giuseppe force-pushed the rootless-use-systemd-scope branch 2 times, most recently from 36f9ca5 to a224050 Compare September 10, 2019 05:54

giuseppe force-pushed the rootless-use-systemd-scope branch from a224050 to 61ab001 Compare September 11, 2019 15:05

giuseppe added 2 commits September 12, 2019 08:35

utils: use the user session for systemd

b94a5e2

when running as rootless, use the user session bus. It is already implemented in the pkg/cgroups so just re-use it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

rootless: run pause process in its own scope

7e88bf7

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

giuseppe force-pushed the rootless-use-systemd-scope branch from 61ab001 to 7e88bf7 Compare September 12, 2019 06:35

openshift-ci-robot assigned mheon Sep 12, 2019

openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 12, 2019

openshift-merge-robot merged commit 8c3349b into containers:master Sep 12, 2019

rh-atomic-bot mentioned this pull request Sep 12, 2019

During shutdown, don't let Conmon die with Systemd CGroups #3474

Closed

github-actions Bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 26, 2023

github-actions Bot locked as resolved and limited conversation to collaborators Sep 26, 2023

Conversation

giuseppe commented Sep 6, 2019

Uh oh!

openshift-ci-robot commented Sep 6, 2019

Uh oh!

mheon Sep 6, 2019

Choose a reason for hiding this comment

Uh oh!

giuseppe Sep 6, 2019

Choose a reason for hiding this comment

Uh oh!

mheon Sep 6, 2019

Choose a reason for hiding this comment

Uh oh!

giuseppe Sep 6, 2019

Choose a reason for hiding this comment

Uh oh!

rhatdan commented Sep 6, 2019

Uh oh!

rhatdan commented Sep 6, 2019

Uh oh!

TomSweeneyRedHat commented Sep 9, 2019

Uh oh!

giuseppe commented Sep 9, 2019

Uh oh!

Uh oh!

Uh oh!

mheon commented Sep 9, 2019

Uh oh!

giuseppe commented Sep 10, 2019

Uh oh!

rh-atomic-bot commented Sep 10, 2019

Uh oh!

rhatdan commented Sep 11, 2019

Uh oh!

giuseppe commented Sep 12, 2019

Uh oh!

mheon commented Sep 12, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants