podman6: Remove cgroupsv1 support

Signed-off-by: Lokesh Mandvekar <[email protected]>

Author: lsm5

cmd/podman/containers/unpause.go

@@ -2,7 +2,6 @@ package containers
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"os"
 	"strings"
@@ -12,9 +11,7 @@ import (
 	"github.com/containers/podman/v5/cmd/podman/utils"
 	"github.com/containers/podman/v5/cmd/podman/validate"
 	"github.com/containers/podman/v5/pkg/domain/entities"
-	"github.com/containers/podman/v5/pkg/rootless"
 	"github.com/spf13/cobra"
-	"go.podman.io/common/pkg/cgroups"
 	"go.podman.io/common/pkg/completion"
 )
 
@@ -88,18 +85,9 @@ func init() {
 }
 
 func unpause(_ *cobra.Command, args []string) error {
-	var (
-		errs utils.OutputErrors
-	)
+	var errs utils.OutputErrors
 	args = utils.RemoveSlash(args)
 
-	if rootless.IsRootless() && !registry.IsRemote() {
-		cgroupv2, _ := cgroups.IsCgroup2UnifiedMode()
-		if !cgroupv2 {
-			return errors.New("unpause is not supported for cgroupv1 rootless containers")
-		}
-	}
-
 	for _, cidFile := range unpauseCidFiles {
 		content, err := os.ReadFile(cidFile)
 		if err != nil {

cmd/podman/main.go

@@ -53,6 +53,8 @@ func main() {
 	}
 	logiface.SetLogger(logrusLogger{})
 
+	checkSupportedCgroups()
+
 	if filepath.Base(os.Args[0]) == registry.PodmanSh ||
 		(len(os.Args[0]) > 0 && filepath.Base(os.Args[0][1:]) == registry.PodmanSh) {
 		shell := strings.TrimPrefix(os.Args[0], "-")

cmd/podman/main_cgroups_linux.go

@@ -0,0 +1,18 @@
+//go:build linux
+
+package main
+
+import (
+	"github.com/sirupsen/logrus"
+	"go.podman.io/common/pkg/cgroups"
+)
+
+func checkSupportedCgroups() {
+	unified, err := cgroups.IsCgroup2UnifiedMode()
+	if err != nil {
+		logrus.Fatalf("Error determining cgroups mode")
+	}
+	if !unified {
+		logrus.Fatalf("Cgroups v1 not supported")
+	}
+}

cmd/podman/main_cgroups_unsupported.go

@@ -0,0 +1,15 @@
+//go:build windows || darwin || freebsd
+
+package main
+
+import (
+	"github.com/sirupsen/logrus"
+	"go.podman.io/common/pkg/cgroups"
+)
+
+func checkSupportedCgroups() {
+	unified, _ := cgroups.IsCgroup2UnifiedMode()
+	if !unified {
+		logrus.Debugln("Non-linux environment. Non-fatal cgroups check")
+	}
+}

go.mod

@@ -192,6 +192,7 @@ require (
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	tags.cncf.io/container-device-interface/specs-go v1.0.0 // indirect
 )
+
 replace go.podman.io/common => github.com/lsm5/container-libs/common v0.0.0-20251023145256-2c7c0ea9cefe
 
 replace go.podman.io/buildah => github.com/lsm5/buildah v0.0.0-20251023152205-884c02fbd526

go.sum

@@ -237,6 +237,8 @@ github.com/linuxkit/virtsock v0.0.0-20241009230534-cb6a20cc0422 h1:XvRuyDDRvi+UD
 github.com/linuxkit/virtsock v0.0.0-20241009230534-cb6a20cc0422/go.mod h1:JLgfq4XMVbvfNlAXla/41lZnp21O72a/wWHGJefAvgQ=
 github.com/lsm5/container-libs/common v0.0.0-20251023145256-2c7c0ea9cefe h1:8qD/aUDCGvHUUVa5iEQmuuQ3Ldl4j3N52iXOSx2mfzc=
 github.com/lsm5/container-libs/common v0.0.0-20251023145256-2c7c0ea9cefe/go.mod h1:SYowhhZOMlSbIdVmx+qEwBRRcFMUr9EAgqRLWBZDb8s=
+github.com/lsm5/buildah v0.0.0-20251017145416-1c35ea0ae809 h1:Xl7p6J9gfYA7TX0Z7VTNygqpEq7MZdrLX+EhsUdUOPc=
+github.com/lsm5/buildah v0.0.0-20251017145416-1c35ea0ae809/go.mod h1:DOj6mclvkxcijXOmZTybYPZpuDv5ZyqoyjZSwfs/ikk=
 github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 h1:7UMa6KCCMjZEMDtTVdcGu0B1GmmC7QJKiCCjyTAWQy0=
 github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k=
 github.com/manifoldco/promptui v0.9.0 h1:3V4HzJk1TtXW1MTZMP7mdlwbBpIinw3HztaIlYthEiA=

libpod/container_internal.go

@@ -1361,7 +1361,7 @@ func (c *Container) waitForHealthy(ctx context.Context) error {
 }
 
 // Whether a container should use `all` when stopping
-func (c *Container) stopWithAll() (bool, error) {
+func (c *Container) stopWithAll() bool {
 	// If the container is running in a PID Namespace, then killing the
 	// primary pid is enough to kill the container.  If it is not running in
 	// a pid namespace then the OCI Runtime needs to kill ALL processes in
@@ -1373,29 +1373,17 @@ func (c *Container) stopWithAll() (bool, error) {
 	if all {
 		if c.config.NoCgroups {
 			all = false
-		} else if rootless.IsRootless() {
-			// Only do this check if we need to
-			unified, err := cgroups.IsCgroup2UnifiedMode()
-			if err != nil {
-				return false, err
-			}
-			if !unified {
-				all = false
-			}
 		}
 	}
 
-	return all, nil
+	return all
 }
 
 // Internal, non-locking function to stop container
 func (c *Container) stop(timeout uint) error {
 	logrus.Debugf("Stopping ctr %s (timeout %d)", c.ID(), timeout)
 
-	all, err := c.stopWithAll()
-	if err != nil {
-		return err
-	}
+	all := c.stopWithAll()
 
 	// OK, the following code looks a bit weird but we have to make sure we can stop
 	// containers with the restart policy always, to do this we have to set
@@ -1502,7 +1490,7 @@ func (c *Container) waitForConmonToExitAndSave() error {
 				// could open a pidfd on container PID1 before
 				// this to get the real exit code... But I'm not
 				// that dedicated.
-				all, _ := c.stopWithAll()
+				all := c.stopWithAll()
 				if err := c.ociRuntime.StopContainer(c, 0, all); err != nil {
 					logrus.Errorf("Error stopping container %s after Conmon exited prematurely: %v", c.ID(), err)
 				}

libpod/container_internal_linux.go

@@ -3,7 +3,6 @@
 package libpod
 
 import (
-	"errors"
 	"fmt"
 	"io/fs"
 	"os"
@@ -30,9 +29,7 @@ import (
 	"golang.org/x/sys/unix"
 )
 
-var (
-	bindOptions = []string{define.TypeBind, "rprivate"}
-)
+var bindOptions = []string{define.TypeBind, "rprivate"}
 
 func (c *Container) mountSHM(shmOptions string) error {
 	contextType := "context"
@@ -267,11 +264,6 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro
 		g.AddMount(tmpfsMnt)
 	}
 
-	unified, err := cgroups.IsCgroup2UnifiedMode()
-	if err != nil {
-		return err
-	}
-
 	hasCgroupNs := false
 	for _, ns := range c.config.Spec.Linux.Namespaces {
 		if ns.Type == spec.CgroupNamespace {
@@ -280,69 +272,25 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro
 		}
 	}
 
-	if unified {
-		g.RemoveMount("/sys/fs/cgroup")
+	g.RemoveMount("/sys/fs/cgroup")
 
-		var systemdMnt spec.Mount
-		if hasCgroupNs {
-			systemdMnt = spec.Mount{
-				Destination: "/sys/fs/cgroup",
-				Type:        "cgroup",
-				Source:      "cgroup",
-				Options:     []string{"private", "rw"},
-			}
-		} else {
-			systemdMnt = spec.Mount{
-				Destination: "/sys/fs/cgroup",
-				Type:        define.TypeBind,
-				Source:      "/sys/fs/cgroup",
-				Options:     []string{define.TypeBind, "private", "rw"},
-			}
+	var systemdMnt spec.Mount
+	if hasCgroupNs {
+		systemdMnt = spec.Mount{
+			Destination: "/sys/fs/cgroup",
+			Type:        "cgroup",
+			Source:      "cgroup",
+			Options:     []string{"private", "rw"},
 		}
-		g.AddMount(systemdMnt)
 	} else {
-		hasSystemdMount := MountExists(mounts, "/sys/fs/cgroup/systemd")
-		if hasCgroupNs && !hasSystemdMount {
-			return errors.New("cgroup namespace is not supported with cgroup v1 and systemd mode")
-		}
-		mountOptions := []string{define.TypeBind, "rprivate"}
-
-		if !hasSystemdMount {
-			skipMount := hasSystemdMount
-			var statfs unix.Statfs_t
-			if err := unix.Statfs("/sys/fs/cgroup/systemd", &statfs); err != nil {
-				if errors.Is(err, os.ErrNotExist) {
-					// If the mount is missing on the host, we cannot bind mount it so
-					// just skip it.
-					skipMount = true
-				}
-				mountOptions = append(mountOptions, "nodev", "noexec", "nosuid")
-			} else {
-				if statfs.Flags&unix.MS_NODEV == unix.MS_NODEV {
-					mountOptions = append(mountOptions, "nodev")
-				}
-				if statfs.Flags&unix.MS_NOEXEC == unix.MS_NOEXEC {
-					mountOptions = append(mountOptions, "noexec")
-				}
-				if statfs.Flags&unix.MS_NOSUID == unix.MS_NOSUID {
-					mountOptions = append(mountOptions, "nosuid")
-				}
-				if statfs.Flags&unix.MS_RDONLY == unix.MS_RDONLY {
-					mountOptions = append(mountOptions, "ro")
-				}
-			}
-			if !skipMount {
-				systemdMnt := spec.Mount{
-					Destination: "/sys/fs/cgroup/systemd",
-					Type:        define.TypeBind,
-					Source:      "/sys/fs/cgroup/systemd",
-					Options:     mountOptions,
-				}
-				g.AddMount(systemdMnt)
-				g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent")
-			}
+		systemdMnt = spec.Mount{
+			Destination: "/sys/fs/cgroup",
+			Type:        define.TypeBind,
+			Source:      "/sys/fs/cgroup",
+			Options:     []string{define.TypeBind, "private", "rw"},
 		}
 	}
+	g.AddMount(systemdMnt)
 
 	return nil
 }
@@ -385,16 +333,12 @@ func isRootlessCgroupSet(cgroup string) bool {
 }
 
 func (c *Container) expectPodCgroup() (bool, error) {
-	unified, err := cgroups.IsCgroup2UnifiedMode()
-	if err != nil {
-		return false, err
-	}
 	cgroupManager := c.CgroupManager()
 	switch {
 	case c.config.NoCgroups:
 		return false, nil
 	case cgroupManager == config.SystemdCgroupsManager:
-		return !rootless.IsRootless() || unified, nil
+		return true, nil
 	case cgroupManager == config.CgroupfsCgroupsManager:
 		return !rootless.IsRootless(), nil
 	default:
@@ -404,10 +348,6 @@ func (c *Container) expectPodCgroup() (bool, error) {
 
 // Get cgroup path in a format suitable for the OCI spec
 func (c *Container) getOCICgroupPath() (string, error) {
-	unified, err := cgroups.IsCgroup2UnifiedMode()
-	if err != nil {
-		return "", err
-	}
 	cgroupManager := c.CgroupManager()
 	switch {
 	case c.config.NoCgroups:
@@ -425,7 +365,7 @@ func (c *Container) getOCICgroupPath() (string, error) {
 		systemdCgroups := fmt.Sprintf("%s:libpod:%s", path.Base(c.config.CgroupParent), c.ID())
 		logrus.Debugf("Setting Cgroups for container %s to %s", c.ID(), systemdCgroups)
 		return systemdCgroups, nil
-	case (rootless.IsRootless() && (cgroupManager == config.CgroupfsCgroupsManager || !unified)):
+	case (rootless.IsRootless() && (cgroupManager == config.CgroupfsCgroupsManager)):
 		if c.config.CgroupParent == "" || !isRootlessCgroupSet(c.config.CgroupParent) {
 			return "", nil
 		}

libpod/info_linux.go

@@ -30,14 +30,8 @@ func (r *Runtime) setPlatformHostInfo(info *define.HostInfo) error {
 		return fmt.Errorf("getting Seccomp profile path: %w", err)
 	}
 
-	// Cgroups version
-	unified, err := cgroups.IsCgroup2UnifiedMode()
-	if err != nil {
-		return fmt.Errorf("reading cgroups mode: %w", err)
-	}
-
 	// Get Map of all available controllers
-	availableControllers, err := cgroups.AvailableControllers(nil, unified)
+	availableControllers, err := cgroups.AvailableControllers()
 	if err != nil {
 		return fmt.Errorf("getting available cgroup controllers: %w", err)
 	}
@@ -55,12 +49,6 @@ func (r *Runtime) setPlatformHostInfo(info *define.HostInfo) error {
 	}
 	info.Slirp4NetNS = define.SlirpInfo{}
 
-	cgroupVersion := "v1"
-	if unified {
-		cgroupVersion = "v2"
-	}
-	info.CgroupsVersion = cgroupVersion
-
 	slirp4netnsPath := r.config.Engine.NetworkCmdPath
 	if slirp4netnsPath == "" {
 		slirp4netnsPath, _ = r.config.FindHelperBinary(slirp4netns.BinaryName, true)

libpod/runtime_linux.go

@@ -12,21 +12,10 @@ import (
 	"github.com/containers/podman/v5/pkg/rootless"
 	"github.com/containers/podman/v5/pkg/systemd"
 	"github.com/sirupsen/logrus"
-	"go.podman.io/common/pkg/cgroups"
 )
 
 func checkCgroups2UnifiedMode(runtime *Runtime) {
-	unified, _ := cgroups.IsCgroup2UnifiedMode()
-	// DELETE ON RHEL9
-	if !unified {
-		_, ok := os.LookupEnv("PODMAN_IGNORE_CGROUPSV1_WARNING")
-		if !ok {
-			logrus.Warn("Using cgroups-v1 which is deprecated in favor of cgroups-v2 with Podman v5 and will be removed in a future version. Set environment variable `PODMAN_IGNORE_CGROUPSV1_WARNING` to hide this warning.")
-		}
-	}
-	// DELETE ON RHEL9
-
-	if unified && rootless.IsRootless() && !systemd.IsSystemdSessionValid(rootless.GetRootlessUID()) {
+	if rootless.IsRootless() && !systemd.IsSystemdSessionValid(rootless.GetRootlessUID()) {
 		// If user is rootless and XDG_RUNTIME_DIR is found, podman will not proceed with /tmp directory
 		// it will try to use existing XDG_RUNTIME_DIR
 		// if current user has no write access to XDG_RUNTIME_DIR we will fail later