cgroup delegation

[aanderse]

i am interested in the new cgroup delegation feature introduced in 4.15! i'm trying to run podman as a service so i can have rootless podman containers, but running into some issues:

aaron@framework ~/w/podman > cat /etc/finit.d/podman.conf
service [234] \
  name:podman \
  cgroup.podman,name:'podman',delegate \
  user:aaron group:users \
  restart:10 \
  @aaron:users \
  notify:none \
  env:/nix/store/hzmsw38a9qgbi5vk0smmkyh7wgapcnfh-podman.env \
  log \
  /nix/store/99y30s7bihdgjnz34avq9i510rcninnb-podman-5.7.0/bin/podman system service --time=0 unix:///run/user/1000/podman/podman.sock \
  -- podman api for aaron

i see something unexpected in my syslog, though:

Jan  6 17:01:47 framework finit[1]: service_register():/etc/finit.d/podman.conf: skipping user:aaron: No such file or directory

and for reference:

aaron@framework ~/w/podman> grep podman /etc/finit.conf
cgroup podman

i'm not sure what i'm doing wrong... the documentation suggests this should work
as always, any help or hints would be greatly appreciated 🙇‍♂️

[troglobit]

Cool! First of all, I've not tested rootlees containers with podman and Finit yet.

Now, if I'm not reading this completely wrong, the user:aaron group:users is not a supported construct (yet) in Finit. You already have the correct syntax @aaron:users though, so try dropping the first line.

[aanderse]

i was quite confused about that... i assume this jeans typo in the docs?

[troglobit]

In Infix OS we've got the following setup:

• https://github.com/kernelkit/infix/blob/main/board/common/rootfs/etc/finit.d/available/container%40.conf
• https://github.com/kernelkit/infix/blob/main/board/common/rootfs/usr/sbin/container

The script is a wrapper to hide missing features and bugs in earlier versions of podman. We create a container instance from an image and then use the sysv variant of the service directive to podman start + stop an instance.

[troglobit]

[snip]
i was quite confused about that... i assume this means typo in the docs?

LOL, I guess I should've proofread a bit closer what my friend Claude wrote 😆 thanks for finding this, I'll fix it immediately!

[aanderse]

all good, thanks for the clarification! i was trying to understand what that separate user and group definition were for and when i couldn't find anything in the code decided it was time to come here 😅

[troglobit]

all good, thanks for the clarification! i was trying to understand what that separate user and group definition were for and when i couldn't find anything in the code decided it was time to come here 😅

Sure was, terribly sorry for that, hope you get everything working!

[troglobit]

I took the opportunity to review other parts of the documentation as well, wrt. cgroups, and found some irregularities and things that could be improved.

Thanks again for reporting!

[aanderse]

these improvements are great and clarify things nicely 🚀

[troglobit]

these improvements are great and clarify things nicely 🚀

Thanks mate! 🤩