Skip to content

Remove Cgroups v1 support (podman6) #6424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Remove Cgroups v1 support (podman6) #6424

wants to merge 1 commit into from

Conversation

@lsm5
Copy link
Member

@lsm5 lsm5 commented Oct 10, 2025

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

Removes Cgroups v1 support. Required as part of Podman v6

How to verify it

Try doing anything on a cgroups v1 env and ensure nothing works (I guess).

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

Only merge whenever we're merging for Podman6

Does this PR introduce a user-facing change?

Cgroups v1 is no longer supported.

@openshift-ci openshift-ci bot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. do-not-merge/work-in-progress labels Oct 10, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 10, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lsm5

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@lsm5 lsm5 added the podman 6 breaking changes that should only go into podman 6 label Oct 10, 2025
@lsm5
Copy link
Member Author

lsm5 commented Oct 10, 2025

Please remind me if we included the debian test for cgroups v1 testing (because we couldn't reliably do RHEL in CI or something else).

@TomSweeneyRedHat
Copy link
Member

@lsm5 I'm not sure on the Debian,

But it does look like you might have a real error in the Fedora-41 runc w/ overlay:

[+0608s] not ok 761 net-namespace
[+0608s] # (from function `die' in file ./helpers.bash, line 443,
[+0608s] #  from function `run_buildah' in file ./helpers.bash, line 430,
[+0608s] #  from function `general_namespace' in file ./namespaces.bats, line 325,
[+0608s] #  in test file ./namespaces.bats, line 377)
...
[+0608s] # # /var/tmp/go/src/github.com/containers/buildah/tests/./../bin/buildah run --cni-config-dir=/tmp/buildah_tests.ijzkfr/no-cni-configs --net=container alpine-working-container-5 readlink /proc/self/ns/net
[+0608s] # net:[4026532942]
[+0608s] # time="2025-10-10T09:59:09-05:00" level=error msg="seek /sys/fs/cgroup/system.slice/runc-buildah-buildah4248988723.scope/cgroup.freeze: no such device"
[+0608s] # error running container: deleting container: exit status 1
[+0608s] # Error: while running runtime: exit status 1
[+0608s] # [ rc=1 (** EXPECTED 0 **) ]
[+0608s] # #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
[+0608s] # #| FAIL: exit code is 1; expected 0
[+0608s] # #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[+0608s] # /var/tmp/go/src/github.com/containers/buildah/tests

TomSweeneyRedHat
TomSweeneyRedHat reviewed Oct 10, 2025
View reviewed changes
info.go Outdated
info["rootless"] = unshare.IsRootless()

unified, err := cgroups.IsCgroup2UnifiedMode()
_, err := cgroups.IsCgroup2UnifiedMode()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we can just do away with this function call entirely?

@TomSweeneyRedHat TomSweeneyRedHat mentioned this pull request Oct 10, 2025
Draft
@nalind
Copy link
Member

nalind commented Oct 10, 2025

@lsm5 I'm not sure on the Debian,

But it does look like you might have a real error in the Fedora-41 runc w/ overlay:
...
[+0608s] # time="2025-10-10T09:59:09-05:00" level=error msg="seek /sys/fs/cgroup/system.slice/runc-buildah-buildah4248988723.scope/cgroup.freeze: no such device"

That's a known flake which should be fixed in runc 1.3.2. Not sure if/when we'll see an updated runc package for that Fedora release. Until then we don't block on CI jobs failing with runc.

nalind
nalind reviewed Oct 14, 2025
View reviewed changes
@packit-as-a-service
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

2 similar comments
@packit-as-a-service
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

@packit-as-a-service
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

@lsm5 lsm5 force-pushed the podman6-no-cgv1 branch 6 times, most recently from e9dc40c to f9149c3 Compare October 15, 2025 15:32
@TomSweeneyRedHat
Copy link
Member

@lsm5 some possible compilation issues.

@lsm5
Copy link
Member Author

lsm5 commented Oct 16, 2025

@nalind @flouthoc if i add a single cgroupsv2 check in main(), it causes chroot with overlay root system test to fail as in https://cirrus-ci.com/task/5933237815476224?logs=integration_test#L870 , and without that check everything passes as in the current CI results (excluding runc jobs which I'm ignoring per one of the above comments). Any idea if it's an issue in the test itself or if I messed up somewhere?

@nalind
Copy link
Member

nalind commented Oct 16, 2025

The test sets up a chrooted environment in a user namespace with ID mappings to ensure that we can use chrooted isolation in such an environment, but that set up does not include a mount at /sys/fs/cgroup, and it looks like cgroups.IsCgroup2UnifiedMode() returns false in such an environment.

@lsm5
Copy link
Member Author

lsm5 commented Oct 16, 2025

The test sets up a chrooted environment in a user namespace with ID mappings to ensure that we can use chrooted isolation in such an environment, but that set up does not include a mount at /sys/fs/cgroup, and it looks like cgroups.IsCgroup2UnifiedMode() returns false in such an environment.

@nalind ack. So, would you suggest modifying the test to include a /sys/fs/cgroup mount, or perhaps placing the v1/v2 check somewhere else instead?

@nalind
Copy link
Member

nalind commented Oct 16, 2025

The test sets up a chrooted environment in a user namespace with ID mappings to ensure that we can use chrooted isolation in such an environment, but that set up does not include a mount at /sys/fs/cgroup, and it looks like cgroups.IsCgroup2UnifiedMode() returns false in such an environment.

@nalind ack. So, would you suggest modifying the test to include a /sys/fs/cgroup mount, or perhaps placing the v1/v2 check somewhere else instead?

Well, I wouldn't want it to start failing in such an environment, so if the test has to be there, my preference would be to move it elsewhere.

@lsm5 lsm5 force-pushed the podman6-no-cgv1 branch 2 times, most recently from 449ba01 to 18b459d Compare October 16, 2025 20:08
@lsm5 lsm5 force-pushed the podman6-no-cgv1 branch 3 times, most recently from 1c35ea0 to 7735e61 Compare October 21, 2025 16:01
@nalind nalind mentioned this pull request Oct 22, 2025
Draft
@lsm5
Remove Cgroups v1 support (podman6)
884c02f 
Fixes: RUN-3567 (partly)

Signed-off-by: Lokesh Mandvekar <[email protected]>
@lsm5 lsm5 mentioned this pull request Oct 23, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nalind nalind nalind left review comments

@TomSweeneyRedHat TomSweeneyRedHat TomSweeneyRedHat left review comments

Assignees

No one assigned

Labels

approved do-not-merge/work-in-progress kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. podman 6 breaking changes that should only go into podman 6

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lsm5 @TomSweeneyRedHat @nalind