rootless container creation settings

when running container creation as rootless on the compatibility layer,
we need to make sure settings are not being done for memory and memory
swappiness.

Signed-off-by: baude <bbaude@redhat.com>

cmd/podman/common/create_opts.go

@@ -7,7 +7,9 @@ import (
 	"strings"
 
 	"github.com/containers/podman/v2/pkg/api/handlers"
+	"github.com/containers/podman/v2/pkg/cgroups"
 	"github.com/containers/podman/v2/pkg/domain/entities"
+	"github.com/containers/podman/v2/pkg/rootless"
 	"github.com/containers/podman/v2/pkg/specgen"
 )
 
@@ -129,7 +131,7 @@ func stringMaptoArray(m map[string]string) []string {
 
 // ContainerCreateToContainerCLIOpts converts a compat input struct to cliopts so it can be converted to
 // a specgen spec.
-func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig) (*ContainerCLIOpts, []string, error) {
+func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig, cgroupsManager string) (*ContainerCLIOpts, []string, error) {
 	var (
 		capAdd     []string
 		cappDrop   []string
@@ -346,16 +348,23 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig) (*Cont
 		Systemd:          "true", // podman default
 		TmpFS:            stringMaptoArray(cc.HostConfig.Tmpfs),
 		TTY:              cc.Config.Tty,
-		//Ulimit:            cc.HostConfig.Ulimits,            // ask dan, no documented format
-		Ulimit:      []string{"nproc=4194304:4194304"},
-		User:        cc.Config.User,
-		UserNS:      string(cc.HostConfig.UsernsMode),
-		UTS:         string(cc.HostConfig.UTSMode),
-		Mount:       mounts,
-		Volume:      volumes,
-		VolumesFrom: cc.HostConfig.VolumesFrom,
-		Workdir:     cc.Config.WorkingDir,
-		Net:         &netInfo,
+		User:             cc.Config.User,
+		UserNS:           string(cc.HostConfig.UsernsMode),
+		UTS:              string(cc.HostConfig.UTSMode),
+		Mount:            mounts,
+		Volume:           volumes,
+		VolumesFrom:      cc.HostConfig.VolumesFrom,
+		Workdir:          cc.Config.WorkingDir,
+		Net:              &netInfo,
+	}
+	if !rootless.IsRootless() {
+		var ulimits []string
+		if len(cc.HostConfig.Ulimits) > 0 {
+			for _, ul := range cc.HostConfig.Ulimits {
+				ulimits = append(ulimits, ul.String())
+			}
+			cliOpts.Ulimit = ulimits
+		}
 	}
 
 	if len(cc.HostConfig.BlkioWeightDevice) > 0 {
@@ -377,7 +386,11 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig) (*Cont
 		cliOpts.MemoryReservation = strconv.Itoa(int(cc.HostConfig.MemoryReservation))
 	}
 
-	if cc.HostConfig.MemorySwap > 0 {
+	cgroupsv2, err := cgroups.IsCgroup2UnifiedMode()
+	if err != nil {
+		return nil, nil, err
+	}
+	if cc.HostConfig.MemorySwap > 0 && (!rootless.IsRootless() || (rootless.IsRootless() && cgroupsv2)) {
 		cliOpts.MemorySwap = strconv.Itoa(int(cc.HostConfig.MemorySwap))
 	}
 
@@ -401,8 +414,10 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig) (*Cont
 		cliOpts.Restart = policy
 	}
 
-	if cc.HostConfig.MemorySwappiness != nil {
+	if cc.HostConfig.MemorySwappiness != nil && (!rootless.IsRootless() || rootless.IsRootless() && cgroupsv2 && cgroupsManager == "systemd") {
 		cliOpts.MemorySwappiness = *cc.HostConfig.MemorySwappiness
+	} else {
+		cliOpts.MemorySwappiness = -1
 	}
 	if cc.HostConfig.OomKillDisable != nil {
 		cliOpts.OOMKillDisable = *cc.HostConfig.OomKillDisable

pkg/api/handlers/compat/containers_create.go

@@ -38,6 +38,11 @@ func CreateContainer(w http.ResponseWriter, r *http.Request) {
 		utils.Error(w, utils.ErrLinkNotSupport.Error(), http.StatusBadRequest, errors.Wrapf(utils.ErrLinkNotSupport, "bad parameter"))
 		return
 	}
+	rtc, err := runtime.GetConfig()
+	if err != nil {
+		utils.Error(w, "unable to obtain runtime config", http.StatusInternalServerError, errors.Wrap(err, "unable to get runtime config"))
+	}
+
 	newImage, err := runtime.ImageRuntime().NewFromLocal(input.Image)
 	if err != nil {
 		if errors.Cause(err) == define.ErrNoSuchImage {
@@ -50,7 +55,7 @@ func CreateContainer(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Take input structure and convert to cliopts
-	cliOpts, args, err := common.ContainerCreateToContainerCLIOpts(input)
+	cliOpts, args, err := common.ContainerCreateToContainerCLIOpts(input, rtc.Engine.CgroupManager)
 	if err != nil {
 		utils.Error(w, "Something went wrong.", http.StatusInternalServerError, errors.Wrap(err, "make cli opts()"))
 		return

pkg/specgen/container_validate.go

@@ -1,11 +1,13 @@
 package specgen
 
 import (
+	"strconv"
 	"strings"
 
 	"github.com/containers/podman/v2/libpod/define"
 	"github.com/containers/podman/v2/pkg/rootless"
 	"github.com/containers/podman/v2/pkg/util"
+	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 )
 
@@ -144,7 +146,38 @@ func (s *SpecGenerator) Validate() error {
 	//default:
 	//	return errors.New("unrecognized option for cgroups; supported are 'default', 'disabled', 'no-conmon'")
 	//}
-
+	invalidUlimitFormatError := errors.New("invalid default ulimit definition must be form of type=soft:hard")
+	//set ulimits if not rootless
+	if len(s.ContainerResourceConfig.Rlimits) < 1 && !rootless.IsRootless() {
+		// Containers common defines this as something like nproc=4194304:4194304
+		tmpnproc := containerConfig.Ulimits()
+		var posixLimits []specs.POSIXRlimit
+		for _, limit := range tmpnproc {
+			limitSplit := strings.SplitN(limit, "=", 2)
+			if len(limitSplit) < 2 {
+				return errors.Wrapf(invalidUlimitFormatError, "missing = in %s", limit)
+			}
+			valueSplit := strings.SplitN(limitSplit[1], ":", 2)
+			if len(valueSplit) < 2 {
+				return errors.Wrapf(invalidUlimitFormatError, "missing : in %s", limit)
+			}
+			hard, err := strconv.Atoi(valueSplit[0])
+			if err != nil {
+				return err
+			}
+			soft, err := strconv.Atoi(valueSplit[1])
+			if err != nil {
+				return err
+			}
+			posixLimit := specs.POSIXRlimit{
+				Type: limitSplit[0],
+				Hard: uint64(hard),
+				Soft: uint64(soft),
+			}
+			posixLimits = append(posixLimits, posixLimit)
+		}
+		s.ContainerResourceConfig.Rlimits = posixLimits
+	}
 	// Namespaces
 	if err := s.UtsNS.validate(); err != nil {
 		return err