podman: add option --unified

it allows to manually tweak the configuration for cgroup v2.

we will expose some of the options in future as single
options (e.g. the new memory knobs), but for now add the more generic
--unified mechanism for maximum control on the cgroup configuration.

OCI specs change: opencontainers/runtime-spec#1040

Requires: containers/crun#459

Signed-off-by: Giuseppe Scrivano <[email protected]>

cmd/podman/common/create.go

@@ -516,5 +516,10 @@ func GetCreateFlags(cf *ContainerCLIOpts) *pflag.FlagSet {
 		"seccomp-policy", "default",
 		"Policy for selecting a seccomp profile (experimental)",
 	)
+	createFlags.StringSliceVar(
+		&cf.Unified,
+		"unified", []string{},
+		"Configure cgroup v2 (key=value)",
+	)
 	return &createFlags
 }

cmd/podman/common/create_opts.go

@@ -94,6 +94,7 @@ type ContainerCLIOpts struct {
 	TTY               bool
 	Timezone          string
 	Umask             string
+	Unified           []string
 	UIDMap            []string
 	Ulimit            []string
 	User              string

cmd/podman/common/specgen.go

@@ -434,6 +434,7 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 	if s.ResourceLimits == nil {
 		s.ResourceLimits = &specs.LinuxResources{}
 	}
+
 	s.ResourceLimits.Memory, err = getMemoryLimits(s, c)
 	if err != nil {
 		return err
@@ -450,7 +451,20 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 		s.ResourceLimits.Pids = &pids
 	}
 	s.ResourceLimits.CPU = getCPULimits(c)
-	if s.ResourceLimits.CPU == nil && s.ResourceLimits.Pids == nil && s.ResourceLimits.BlockIO == nil && s.ResourceLimits.Memory == nil {
+
+	unifieds := make(map[string]string)
+	for _, unified := range c.Unified {
+		splitUnified := strings.SplitN(unified, "=", 2)
+		if len(splitUnified) < 2 {
+			return errors.Errorf("Unifieds must be formatted KEY=VALUE")
+		}
+		unifieds[splitUnified[0]] = splitUnified[1]
+	}
+	if len(unifieds) > 0 {
+		s.ResourceLimits.Unified = unifieds
+	}
+
+	if s.ResourceLimits.CPU == nil && s.ResourceLimits.Pids == nil && s.ResourceLimits.BlockIO == nil && s.ResourceLimits.Memory == nil && s.ResourceLimits.Unified == nil {
 		s.ResourceLimits = nil
 	}
 

completions/bash/podman

@@ -2181,6 +2181,7 @@ _podman_container_run() {
 		--umask
 		--uidmap
 		--ulimit
+		--unified
 		--user -u
 		--userns
 		--uts

docs/source/markdown/podman-create.1.md

@@ -867,6 +867,10 @@ Ulimit options
 
 You can pass `host` to copy the current configuration from the host.
 
+**--unified=KEY=VALUE**
+
+When running on cgroup v2, specify the cgroup file to write to and its value.  For example **--unified=memory.high=1073741824** sets the memory.high limit to 1GB.
+
 **--user**, **-u**=*user*
 
 Sets the username or UID used and optionally the groupname or GID for the specified command.

docs/source/markdown/podman-run.1.md

@@ -909,6 +909,10 @@ The following example maps uids 0-1999 in the container to the uids 30000-31999
 
 Ulimit options. You can use **host** to copy the current configuration from the host.
 
+**--unified**=*KEY=VALUE*
+
+When running on cgroup v2, specify the cgroup file to write to and its value.  For example **--unified=memory.high=1073741824** sets the memory.high limit to 1GB.
+
 **--user**, **-u**=[_user_ | _user_:_group_ | _uid_ | _uid_:_gid_ | _user_:_gid_ | _uid_:_group_ ]
 
 Sets the username or UID used and optionally the groupname or GID for the specified command.

libpod/container_inspect.go

@@ -465,6 +465,7 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
 			if ctrSpec.Linux.Resources.Pids != nil {
 				hostConfig.PidsLimit = ctrSpec.Linux.Resources.Pids.Limit
 			}
+			hostConfig.Unified = ctrSpec.Linux.Resources.Unified
 			if ctrSpec.Linux.Resources.BlockIO != nil {
 				if ctrSpec.Linux.Resources.BlockIO.Weight != nil {
 					hostConfig.BlkioWeight = *ctrSpec.Linux.Resources.BlockIO.Weight

libpod/define/container_inspect.go

@@ -518,6 +518,8 @@ type InspectContainerHostConfig struct {
 	IOMaximumIOps uint64 `json:"IOMaximumIOps"`
 	// IOMaximumBandwidth is Windows-only and not presently implemented.
 	IOMaximumBandwidth uint64 `json:"IOMaximumBandwidth"`
+	// Unified is the configuration for cgroup v2.
+	Unified map[string]string `json:"Unified"`
 }
 
 // InspectBasicNetworkConfig holds basic configuration information (e.g. IP

pkg/spec/createconfig.go

@@ -54,6 +54,7 @@ type CreateResourceConfig struct {
 	PidsLimit         int64    // pids-limit
 	ShmSize           int64
 	Ulimit            []string //ulimit
+	Unified           map[string]string
 }
 
 // PidConfig configures the pid namespace for the container

pkg/specgen/generate/validate.go

@@ -23,6 +23,12 @@ func verifyContainerResources(s *specgen.SpecGenerator) ([]string, error) {
 		return warnings, nil
 	}
 
+	if s.ResourceLimits.Unified != nil {
+		if !cgroup2 {
+			return nil, errors.New("Cannot use unified without cgroup v2")
+		}
+	}
+
 	// Memory checks
 	if s.ResourceLimits.Memory != nil {
 		memory := s.ResourceLimits.Memory

pkg/specgen/specgen.go

@@ -415,6 +415,10 @@ type ContainerResourceConfig struct {
 	ThrottleReadIOPSDevice map[string]spec.LinuxThrottleDevice `json:"throttleReadIOPSDevice,omitempty"`
 	// IO write rate limit per cgroup per device, IO per second
 	ThrottleWriteIOPSDevice map[string]spec.LinuxThrottleDevice `json:"throttleWriteIOPSDevice,omitempty"`
+	// Unified are key-value options passed into the container runtime
+	// that are used to configure cgroup v2.
+	// Optional.
+	Unified map[string]string `json:"unified,omitempty"`
 }
 
 // ContainerHealthCheckConfig describes a container healthcheck with attributes