info: `host.cgroupControllers` is empty on rootless #11931

AkihiroSuda · 2021-10-12T06:55:50Z

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

podman info (rootless) doesn't fulfill host.cgroupControllers field

Steps to reproduce the issue:
podman info --format '{{json .}}' | jq .host.cgroupControllers

Describe the results you received:

[]

Describe the results you expected:

[
  "cpuset",
  "cpu",
  "io",
  "memory",
  "pids"
]

Additional information you deem important (e.g. issue happens only occasionally):

$ systemd --version
systemd 247 (247.3-3ubuntu3.6)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid

$ cat /etc/systemd/system/user@.service.d/delegate-cgroup.conf 
[Service]
Delegate=yes

$ cat /sys/fs/cgroup/user.slice/user-1001.slice/cgroup.controllers 
cpuset cpu io memory pids

$ cat /sys/fs/cgroup/user.slice/user-1001.slice/cgroup.subtree_control 
cpuset cpu io memory pids

$ cat /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/cgroup.controllers 
cpuset cpu io memory pids

$ cat /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/cgroup.subtree_control

Rootless Docker (v20.10.9) can print the available cgroup controllers as expected.

$ docker info | jq .
{
  "MemoryLimit": true,
  "SwapLimit": true,
  "KernelMemory": false,
  "KernelMemoryTCP": false,
  "CpuCfsPeriod": true,
  "CpuCfsQuota": true,
  "CPUShares": true,
  "CPUSet": true,
  "PidsLimit": true,
...
  "CgroupDriver": "systemd",
  "CgroupVersion": "2",
....
  "SecurityOptions": [
    "name=seccomp,profile=builtin",
    "name=rootless",
    "name=cgroupns"
  ],
...
}

Rootless Docker reads /sys/fs/cgroup/user.slice/user-1001.slice/cgroup.controllers
https://github.com/moby/moby/blob/30413e5efb6c29da0df23dc95ae4625f31dd8d71/daemon/oci_linux.go#L103

On the other hands, Rootless Podman seems reading /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/podman-132751.scope/cgroup.subtree_control

Output of podman version:

Version:      4.0.0-dev
API Version:  4.0.0-dev
Go Version:   go1.17.2
Git Commit:   2fcec59445267e8c8e06005539701a172d3db8a5
Built:        Mon Oct 11 20:23:10 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.23.1
  cgroupControllers: []
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: Unknown
    path: /usr/local/bin/conmon
    version: 'conmon version 2.0.31-dev, commit: fa1fa364e77ad18f1228631f1b4d1a954d3dfe67-dirty'
  cpus: 4
  distribution:
    codename: hirsute
    distribution: ubuntu
    version: "21.04"
  eventLogger: journald
  hostname: suda-ws01
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.11.0-37-generic
  linkmode: dynamic
  logDriver: journald
  memFree: 241889280
  memTotal: 16748179456
  ociRuntime:
    name: crun
    package: Unknown
    path: /usr/local/bin/crun
    version: |-
      crun version 1.2
      commit: 4f6c8e0583c679bfee6a899c05ac6b916022561b
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1001/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/local/bin/slirp4netns
    package: Unknown
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.1
  swapFree: 2146070528
  swapTotal: 2147479552
  uptime: 4h 0m 11.18s (Approximately 0.17 days)
plugins:
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /home/suda/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/suda/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /run/user/1001/containers
  volumePath: /home/suda/.local/share/containers/storage/volumes
version:
  APIVersion: 4.0.0-dev
  Built: 1633951390
  BuiltTime: Mon Oct 11 20:23:10 2021
  GitCommit: 2fcec59445267e8c8e06005539701a172d3db8a5
  GoVersion: go1.17.2
  OsArch: linux/amd64
  Version: 4.0.0-dev

Package info (e.g. output of rpm -q podman or apt list podman):
N/A

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):
N/A

The text was updated successfully, but these errors were encountered:

use the cgroup.controllers file instead of cgroup.subtree_control to read the list of controllers available in the current cgroup. Closes: containers#11931 [NO TESTS NEEDED] we have disabled this test in the CI because it is difficult to know what controllers are going to be enabled for rootless under all conditions we test. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

giuseppe · 2021-10-12T10:26:36Z

thanks for reporting it, opened a PR: #11935

use the cgroup.controllers file instead of cgroup.subtree_control to read the list of controllers available in the current cgroup. Closes: containers#11931 [NO TESTS NEEDED] we have disabled this test in the CI because it is difficult to know what controllers are going to be enabled for rootless under all conditions we test. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Oct 12, 2021

AkihiroSuda added the rootless label Oct 12, 2021

giuseppe mentioned this issue Oct 12, 2021

cgroups: use cgroup.controllers to read controllers #11935

Merged

openshift-merge-robot closed this as completed in #11935 Oct 12, 2021

soltysh mentioned this issue Jul 7, 2022

host.cgroupControllers is missing cpu on rootless #14856

Closed

github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023

github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

info: `host.cgroupControllers` is empty on rootless #11931

info: `host.cgroupControllers` is empty on rootless #11931

AkihiroSuda commented Oct 12, 2021

giuseppe commented Oct 12, 2021

info: host.cgroupControllers is empty on rootless #11931

info: host.cgroupControllers is empty on rootless #11931

Comments

AkihiroSuda commented Oct 12, 2021

giuseppe commented Oct 12, 2021

info: `host.cgroupControllers` is empty on rootless #11931

info: `host.cgroupControllers` is empty on rootless #11931