diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md index c16d46361c..daeac5ac38 100644 --- a/docs/source/markdown/podman-systemd.unit.5.md +++ b/docs/source/markdown/podman-systemd.unit.5.md @@ -259,6 +259,7 @@ Valid options for `[Container]` are listed below: | AddDevice=/dev/foo | --device /dev/foo | | Annotation="XYZ" | --annotation "XYZ" | | AutoUpdate=registry | --label "io.containers.autoupdate=registry" | +| CgroupsMode=no-conmon | --cgroups=no-conmon | | ContainerName=name | --name name | | ContainersConfModule=/etc/nvd\.conf | --module=/etc/nvd\.conf | | DNS=192.168.55.1 | --dns=192.168.55.1 | @@ -370,6 +371,16 @@ Indicates whether the container will be auto-updated ([podman-auto-update(1)](po * `local`: Tells Podman to compare the image a container is using to the image with its raw name in local storage. If an image is updated locally, Podman simply restarts the systemd unit executing the container. +### `CgroupsMode=` + +The cgroups mode of the Podman container. Equivalent to the Podman `--cgroups` option. + +By default, the cgroups mode of the container created by Quadlet is `split`, +which differs from the default (`enabled`) used by the Podman CLI. + +If the container joins a pod (i.e. `Pod=` is specified), you may want to change this to +`no-conmon` or `enabled` so that pod level cgroup resource limits can take effect. + ### `ContainerName=` The (optional) name of the Podman container. If this is not specified, the default value diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go index 2509259d3d..e5523f0f5d 100644 --- a/pkg/systemd/quadlet/quadlet.go +++ b/pkg/systemd/quadlet/quadlet.go @@ -62,6 +62,7 @@ const ( KeyAuthFile = "AuthFile" KeyAutoUpdate = "AutoUpdate" KeyCertDir = "CertDir" + KeyCgroupsMode = "CgroupsMode" KeyConfigMap = "ConfigMap" KeyContainerName = "ContainerName" KeyContainersConfModule = "ContainersConfModule" @@ -191,6 +192,7 @@ var ( KeyAddDevice: true, KeyAnnotation: true, KeyAutoUpdate: true, + KeyCgroupsMode: true, KeyContainerName: true, KeyContainersConfModule: true, KeyDNS: true, @@ -581,7 +583,12 @@ func ConvertContainer(container *parser.UnitFile, isUser bool, unitsInfoMap map[ // We delegate groups to the runtime service.Add(ServiceGroup, "Delegate", "yes") - podman.add("--cgroups=split") + + if cgroupsMode, ok := container.Lookup(ContainerGroup, KeyCgroupsMode); ok && len(cgroupsMode) > 0 { + podman.addf("--cgroups=%s", cgroupsMode) + } else { + podman.add("--cgroups=split") + } timezone, ok := container.Lookup(ContainerGroup, KeyTimezone) if ok && len(timezone) > 0 { diff --git a/test/e2e/quadlet/cgroups-mode.container b/test/e2e/quadlet/cgroups-mode.container new file mode 100644 index 0000000000..67dfe2a4da --- /dev/null +++ b/test/e2e/quadlet/cgroups-mode.container @@ -0,0 +1,5 @@ +## assert-podman-args --cgroups=no-conmon + +[Container] +Image=localhost/imagename +CgroupsMode=no-conmon diff --git a/test/e2e/quadlet_test.go b/test/e2e/quadlet_test.go index d3d9ad1a7d..db4ce879c3 100644 --- a/test/e2e/quadlet_test.go +++ b/test/e2e/quadlet_test.go @@ -897,6 +897,7 @@ BOGUS=foo Entry("template@instance.container", "template@instance.container"), Entry("Unit After Override", "unit-after-override.container"), Entry("NetworkAlias", "network-alias.container"), + Entry("CgroupMode", "cgroups-mode.container"), Entry("basic.volume", "basic.volume"), Entry("device-copy.volume", "device-copy.volume"),