podman: add new option --cgroups=no-conmon

it allows to disable cgroups creation only for the conmon process.

A new cgroup is created for the container payload.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano 2020-01-14 15:05:12 +01:00
parent 30245affe9
commit ba0a6f34e3
No known key found for this signature in database
GPG Key ID: E4730F97F60286ED
8 changed files with 31 additions and 19 deletions

View File

@ -158,7 +158,7 @@ func getCreateFlags(c *cliconfig.PodmanCommand) {
)
createFlags.String(
"cgroups", "enabled",
"control container cgroup configuration",
`control container cgroup configuration ("enabled"|"disabled"|"no-conmon")`,
)
createFlags.String(
"cgroup-parent", "",

View File

@ -78,8 +78,9 @@ If the host uses cgroups v1, the default is set to **host**. On cgroups v2 the
**--cgroups**=*mode*
Determines whether the container will create CGroups.
Valid values are *enabled* and *disabled*, which the default being *enabled*.
Valid values are *enabled*, *disabled*, *no-conmon*, which the default being *enabled*.
The *disabled* option will force the container to not create CGroups, and thus conflicts with CGroup options (**--cgroupns** and **--cgroup-parent**).
The *no-conmon* option disables a new CGroup only for the conmon process.
**--cgroup-parent**=*path*

View File

@ -92,8 +92,9 @@ If the host uses cgroups v1, the default is set to **host**. On cgroups v2 the
**--cgroups**=*mode*
Determines whether the container will create CGroups.
Valid values are *enabled* and *disabled*, which the default being *enabled*.
Valid values are *enabled*, *disabled*, *no-conmon*, which the default being *enabled*.
The *disabled* option will force the container to not create CGroups, and thus conflicts with CGroup options (**--cgroupns** and **--cgroup-parent**).
The *no-conmon* option disables a new CGroup only for the conmon process.
**--cgroup-parent**=*cgroup*

View File

@ -373,8 +373,11 @@ type ContainerConfig struct {
// Time container was created
CreatedTime time.Time `json:"createdTime"`
// NoCgroups indicates that the container will not create CGroups. It is
// incompatible with CgroupParent.
// incompatible with CgroupParent. Deprecated in favor of CgroupsMode.
NoCgroups bool `json:"noCgroups,omitempty"`
// CgroupsMode indicates how the container will create cgroups
// (disabled, no-conmon, enabled). It supersedes NoCgroups.
CgroupsMode string `json:"cgroupsMode,omitempty"`
// Cgroup parent of the container
CgroupParent string `json:"cgroupParent"`
// LogPath log location

View File

@ -1297,11 +1297,17 @@ func startCommandGivenSelinux(cmd *exec.Cmd) error {
// it then signals for conmon to start by sending nonse data down the start fd
func (r *ConmonOCIRuntime) moveConmonToCgroupAndSignal(ctr *Container, cmd *exec.Cmd, startFd *os.File) error {
mustCreateCgroup := true
// If cgroup creation is disabled - just signal.
if ctr.config.NoCgroups {
mustCreateCgroup = false
}
// If cgroup creation is disabled - just signal.
switch ctr.config.CgroupsMode {
case "disabled", "no-conmon":
mustCreateCgroup = false
}
if mustCreateCgroup {
cgroupParent := ctr.CgroupParent()
if r.cgroupManager == define.SystemdCgroupsManager {

View File

@ -1078,25 +1078,26 @@ func WithLogTag(tag string) CtrCreateOption {
}
// WithNoCgroups disables the creation of CGroups for the new container.
func WithNoCgroups() CtrCreateOption {
// WithCgroupsMode disables the creation of CGroups for the conmon process.
func WithCgroupsMode(mode string) CtrCreateOption {
return func(ctr *Container) error {
if ctr.valid {
return define.ErrCtrFinalized
}
if ctr.config.CgroupParent != "" {
return errors.Wrapf(define.ErrInvalidArg, "NoCgroups conflicts with CgroupParent")
switch mode {
case "disabled":
ctr.config.NoCgroups = true
ctr.config.CgroupsMode = mode
case "enabled", "no-conmon":
ctr.config.CgroupsMode = mode
default:
return errors.Wrapf(define.ErrInvalidArg, "Invalid cgroup mode %q", mode)
}
if ctr.config.PIDNsCtr != "" {
return errors.Wrapf(define.ErrInvalidArg, "NoCgroups requires a private PID namespace and cannot be used when PID namespace is shared with another container")
}
ctr.config.NoCgroups = true
return nil
}
}
// WithCgroupParent sets the Cgroup Parent of the new container.

View File

@ -213,8 +213,8 @@ func (c *CgroupConfig) ToCreateOptions(runtime *libpod.Runtime) ([]libpod.CtrCre
options = append(options, libpod.WithCgroupParent(c.CgroupParent))
}
if c.Cgroups == "disabled" {
options = append(options, libpod.WithNoCgroups())
if c.Cgroups != "" {
options = append(options, libpod.WithCgroupsMode(c.Cgroups))
}
return options, nil

View File

@ -358,10 +358,10 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
return nil, errors.New("cannot specify resource limits when cgroups are disabled is specified")
}
configSpec.Linux.Resources = &spec.LinuxResources{}
case "enabled", "":
case "enabled", "no-conmon", "":
// Do nothing
default:
return nil, errors.New("unrecognized option for cgroups; supported are 'default' and 'disabled'")
return nil, errors.New("unrecognized option for cgroups; supported are 'default', 'disabled', 'no-conmon'")
}
// Add annotations