Allow rootless buildah to set resource limits on cgroup V2

[rhatdan]

First move podman/pkg/cgroups into Buildah.
Only set resources to nil on non cgroupsv2 systems in rootless mode.

Signed-off-by: Daniel J Walsh dwalsh@redhat.com

What type of PR is this?

/kind api-change
/kind bug
/kind cleanup
/kind deprecation
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake
/kind other

What this PR does / why we need it:

How to verify it

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rhatdan]

@nalind @giuseppe This seems to work, but Buildah is getting a different cgroupfs mounted then Podman.
Podman is getting

$ podman run -ti alpine ls -1 /sys/fs/cgroup/
cgroup.controllers
cgroup.events
cgroup.freeze
cgroup.kill
cgroup.max.depth
cgroup.max.descendants
cgroup.procs
cgroup.stat
cgroup.subtree_control
cgroup.threads
cgroup.type
cpu.max
cpu.max.burst
cpu.pressure
cpu.stat
cpu.weight
cpu.weight.nice
io.bfq.weight
io.latency
io.max
io.pressure
io.prio.class
io.stat
io.weight
memory.current
memory.events
memory.events.local
memory.high
memory.low
memory.max
memory.min
memory.numa_stat
memory.oom.group
memory.pressure
memory.stat
memory.swap.current
memory.swap.events
memory.swap.high
memory.swap.max
pids.current
pids.events
pids.max

But Buildah sees

STEP 3/3: RUN ls /sys/fs/cgroup/
cgroup.controllers
cgroup.max.depth
cgroup.max.descendants
cgroup.procs
cgroup.stat
cgroup.subtree_control
cgroup.threads
cpu.pressure
cpu.stat
cpuset.cpus.effective
cpuset.mems.effective
dev-hugepages.mount
dev-mqueue.mount
init.scope
io.cost.model
io.cost.qos
io.pressure
io.prio.class
io.stat
machine.slice
memory.numa_stat
memory.pressure
memory.stat
misc.capacity
sys-fs-fuse-connections.mount
sys-kernel-config.mount
sys-kernel-debug.mount
sys-kernel-tracing.mount
system.slice
user.slice

Any idea what I am doing wrong?
Tests are looking for /sys/fs/cgroup/cpu.max

[giuseppe]

Any idea what I am doing wrong?

are you adding a cgroupns to the container?

With cgroupv2 we do that by default, while on cgroupv1 by default it is --cgroupns=host

[rhatdan]

Ok it looks like buildah does not do anything with cgroupns. We need to add that support.
@giuseppe could you take this PR over and add cgroupns, or I will get to it when I have some time.

[giuseppe]

I've looked and we already use a cgroupns. I think we are hitting: containers/crun#765

[rhatdan]

Do we have a new crun release?

[giuseppe]

I'll work on a new one now, I need to fix the CI first :/

I've also found another issue in Buildah while debugging this PR: #3614

[giuseppe]

Do we have a new crun release?

tagging one: containers/crun#770

[giuseppe]

the new builds are on Bodhi

[rhatdan]

Verifying containers/common#854

[rhatdan]

@vrothberg Latest containers/common filters patch is passing here now.

[rhatdan]

@nalind @giuseppe @flouthoc @vrothberg @TomSweeneyRedHat @umohnani8 This is ready to review.

[umohnani8]

LGTM

[nalind]

Do we need to update our seccomp handling in chroot to account for this?

[rhatdan]

@giuseppe PTAL

[nalind]

Is this a bug?

[rhatdan]

@vrothberg PTAL

[vrothberg]

It's preserving previous behavior, see containers/common@2f3c4bcdfdcf. But I am for changing the behavior. Libraries should not print on stdout.

[rhatdan]

Well that should happen in a separate PR.

[vrothberg]

Agreed, that's what I also wrote in the PR of containers/common@2f3c4bcdfdcf. It may require changes to Podman to preserve behavior but I did not investigate.

[TomSweeneyRedHat]

The changes in here LGTM. Are we holding this for an update to common to fix the printf and/or updates to Podman?