IO resource limits not supported in rootless containers?

jorti · April 10, 2023, 1:46pm

Hi all,

I’m experimenting with the IO resource limits in podman, but it looks like it doesn’t work in a rootless container:

$ podman run -ti --rm -v /mnt/data:/mnt/data:z,ro  --blkio-weight-device=/dev/sda1:10 fedora:latest bash
Error: crun: open io.weight: No such file or directory: OCI runtime attempted to invoke a command that was not found

Is this expected? I don’t see anywhere that this is only working for root.

Thanks.

alys · April 10, 2023, 2:07pm

It’s saying the path /dev/sda1:10 doesn’t exist. Are you trying to pass it the range of /sda devices like sda1 .. sda10? If so, then you need to bracket it like /dev/sda{1..10}

jorti · April 10, 2023, 2:19pm

Hi Alys,

The device exists and the argument is correct. What I try to do is to assign a relative weight to that device.

The manual page details this option and it works for root:

   --blkio-weight-device=device:weight
       Block IO relative device weight.

jorti · April 11, 2023, 7:10am

Seems related to the missing io cgroupController:

$ podman info
host:
  arch: amd64
  buildahVersion: 1.29.0
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.7-2.fc37.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.7, commit: '
  cpuUtilization:
    idlePercent: 92.04
    systemPercent: 2
    userPercent: 5.96
  cpus: 8
  distribution:
    distribution: fedora
    variant: coreos
    version: "37"
  eventLogger: journald
  hostname: radon
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1002
      size: 1
    - container_id: 1
      host_id: 655360
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1002
      size: 1
    - container_id: 1
      host_id: 655360
      size: 65536
  kernel: 6.1.18-200.fc37.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 8047050752
  memTotal: 16365457408
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.8.1-1.fc37.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.8.1
      commit: f8a096be060b22ccd3d5f3ebe44108517fbf6c30
      rundir: /run/user/1002/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1002/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-8.fc37.x86_64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 21474828288
  swapTotal: 21474828288
  uptime: 0h 7m 57.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /var/home/podman/.config/containers/storage.conf
  containerStore:
    number: 26
    paused: 0
    running: 26
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/podman/.local/share/containers/storage
  graphRootAllocated: 1931141517312
  graphRootUsed: 50770673664
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 27
  runRoot: /run/user/1002/containers
  transientStore: false
  volumePath: /var/home/podman/.local/share/containers/storage/volumes
version:
  APIVersion: 4.4.2
  Built: 1677669779
  BuiltTime: Wed Mar  1 11:22:59 2023
  GitCommit: ""
  GoVersion: go1.19.6
  Os: linux
  OsArch: linux/amd64
  Version: 4.4.2

This machine is a Fedora CoreOS stable 37.20230322.3.0, and comparing the output of podman info with a Workstation machine, I can see that I’m missing several cgroupControllers:

host:
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
[...]
  security:
    rootless: true

Any idea about how to enable these cgroupControllers in Fedora CoreOS?

Thanks.

jorti · April 11, 2023, 10:15am

Continuing my investigation, I see that the cgroup controllers can be added with this:

# /etc/systemd/system/user@.service.d/override.conf
[Service]
Delegate=cpu pids io memory

However even after that, I’m getting the same error:

$ podman info
host:
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids


$ podman run -ti --rm -v /mnt/data:/mnt/data:z,ro  --blkio-weight-device=/dev/sda1:10 fedora:latest bash
Error: OCI runtime error: crun: write io.weight: No such device

Is this supported at all in rootless mode?

siosm · April 11, 2023, 12:07pm

Did you follow [Optional] cgroup v2 | Rootless Containers ? Have you rebooted your system after?

jorti · April 11, 2023, 1:31pm

Ok, got it. The latest error was complaining about No such device. That is because I have to use the whole disk and not only a partition.

Thanks for the suggestions!