Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support to run with podman in rootless mode using cgroups v2 #1084

Merged
merged 3 commits into from
Jun 15, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions docs/usage/advanced/podman.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,26 @@ export DOCKER_SOCK=$XDG_RUNTIME_DIR/podman/podman.sock
k3d cluster create
```

#### Using cgroup (v2)

By default, a non-root user can only get memory controller and pids controller to be delegated.

To run properly we need to enable CPU, CPUSET, and I/O delegation

!!! note "Make sure you're running cgroup v2"
If `/sys/fs/cgroup/cgroup.controllers` is present on your system, you are using v2, otherwise you are using v1.

```bash
mkdir -p /etc/systemd/system/[email protected]
cat > /etc/systemd/system/[email protected]/delegate.conf <<EOF
[Service]
Delegate=cpu cpuset io memory pids
EOF
systemctl daemon-reload
```

Reference: [https://rootlesscontaine.rs/getting-started/common/cgroup2/#enabling-cpu-cpuset-and-io-delegation](https://rootlesscontaine.rs/getting-started/common/cgroup2/#enabling-cpu-cpuset-and-io-delegation)

### Using remote Podman

[Start Podman on the remote host](https://github.com/containers/podman/blob/main/docs/tutorials/remote_client.md), and then set `DOCKER_HOST` when running k3d:
Expand Down Expand Up @@ -77,3 +97,4 @@ k3d cluster create --registry-use mycluster-registry mycluster

!!! note "Missing cpuset cgroup controller"
If you experince an error regarding missing cpuset cgroup controller, ensure the user unit `xdg-document-portal.service` is disabled by running `systemctl --user stop xdg-document-portal.service`. See [this issue](https://github.com/systemd/systemd/issues/18293#issuecomment-831397578)

28 changes: 23 additions & 5 deletions pkg/runtimes/docker/network.go
Original file line number Diff line number Diff line change
Expand Up @@ -91,11 +91,11 @@ func (d Docker) GetNetwork(ctx context.Context, searchNet *k3d.ClusterNetwork) (

for _, container := range targetNetwork.Containers {
if container.IPv4Address != "" {
prefix, err := netaddr.ParseIPPrefix(container.IPv4Address)
ipAddr, err := parseIPAddress(container.IPv4Address)
if err != nil {
return nil, fmt.Errorf("failed to parse IP of container %s: %w", container.Name, err)
return nil, fmt.Errorf("failed to parse IP address of container %s: %w", container.Name, err)
}
network.IPAM.IPsUsed = append(network.IPAM.IPsUsed, prefix.IP())
network.IPAM.IPsUsed = append(network.IPAM.IPsUsed, ipAddr)
}
}

Expand All @@ -110,13 +110,13 @@ func (d Docker) GetNetwork(ctx context.Context, searchNet *k3d.ClusterNetwork) (
}

for _, container := range targetNetwork.Containers {
prefix, err := netaddr.ParseIPPrefix(container.IPv4Address)
ipAddr, err := parseIPAddress(container.IPv4Address)
if err != nil {
return nil, fmt.Errorf("failed to parse IP Prefix of network \"%s\"'s member %s: %v", network.Name, container.Name, err)
}
network.Members = append(network.Members, &k3d.NetworkMember{
Name: container.Name,
IP: prefix.IP(),
IP: ipAddr,
})
}

Expand Down Expand Up @@ -376,3 +376,21 @@ func (d Docker) parseIPAM(config network.IPAMConfig) (ipam k3d.IPAM, err error)

return
}

// parseIPAddress Returns an netaddr.IP by either receiving the IP address or IP CIDR notation. If the value
// cannot be parsed, an error is returned
func parseIPAddress(addr string) (netaddr.IP, error) {
if strings.Contains(addr, "/") {
prefix, err := netaddr.ParseIPPrefix(addr)
if err != nil {
return netaddr.IP{}, err
}
return prefix.IP(), nil
} else {
ipAddr, err := netaddr.ParseIP(addr)
if err != nil {
return netaddr.IP{}, err
}
return ipAddr, nil
}
}