I have finally opened some PRs for conmon and libpod that enable resources management for Podman rootless containers on Fedora 30 when using crun.
The PRs are here:
- conmon: https://github.com/cri-o/cri-o/pull/2356
- Podman: https://github.com/containers/libpod/pull/3104
- crun: https://github.com/giuseppe/crun/pull/46
The only change for the default Fedora 30 configuration is to enable the cgroup v2 unified hierarchy. It can be done with:
# grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=1"
and a reboot.
systemd by default enables only the pids and memory controllers for unprivileged users. If you want to enable more controllers, you need a drop-in configuration file under /etc/systemd/system/[email protected], that looks like:
[Service]
Delegate=cpu cpuacct io blkio memory devices pids
I've not found a way to enable the cpuset controller using only the systemd configuration. It must be done manually, or by providing a service file that writes directly to /sys/fs/cgroup/cgroup.subtree_control and /sys/fs/cgroup/user.slice/cgroup.subtree_control, and then make sure this setting is propagated to [email protected].
With the updated versions of crun, Podman and conmon:
$ podman --runtime /usr/local/bin/crun run --memory=100M --rm -ti fedora bash
# cat /proc/self/cgroup
0::/user.slice/user-1000.slice/[email protected]/80adb7152d9f299cb7bfd383aa7ae2543534d7925c96d486f046e185d09d0946-39898.scope
# cat /sys/fs/cgroup//user.slice/user-1000.slice/[email protected]/80adb7152d9f299cb7bfd383aa7ae2543534d7925c96d486f046e185d09d0946-39898.scope/memory.max
104857600