libpod: Remove cgroupsv1 support

Signed-off-by: Lokesh Mandvekar <[email protected]>

Author: lsm5

libpod/container_internal_linux.go

@@ -3,7 +3,6 @@
 package libpod
 
 import (
-	"errors"
 	"fmt"
 	"io/fs"
 	"os"
@@ -30,9 +29,7 @@ import (
 	"golang.org/x/sys/unix"
 )
 
-var (
-	bindOptions = []string{define.TypeBind, "rprivate"}
-)
+var bindOptions = []string{define.TypeBind, "rprivate"}
 
 func (c *Container) mountSHM(shmOptions string) error {
 	contextType := "context"
@@ -267,11 +264,6 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro
 		g.AddMount(tmpfsMnt)
 	}
 
-	unified, err := cgroups.IsCgroup2UnifiedMode()
-	if err != nil {
-		return err
-	}
-
 	hasCgroupNs := false
 	for _, ns := range c.config.Spec.Linux.Namespaces {
 		if ns.Type == spec.CgroupNamespace {
@@ -280,69 +272,25 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro
 		}
 	}
 
-	if unified {
-		g.RemoveMount("/sys/fs/cgroup")
+	g.RemoveMount("/sys/fs/cgroup")
 
-		var systemdMnt spec.Mount
-		if hasCgroupNs {
-			systemdMnt = spec.Mount{
-				Destination: "/sys/fs/cgroup",
-				Type:        "cgroup",
-				Source:      "cgroup",
-				Options:     []string{"private", "rw"},
-			}
-		} else {
-			systemdMnt = spec.Mount{
-				Destination: "/sys/fs/cgroup",
-				Type:        define.TypeBind,
-				Source:      "/sys/fs/cgroup",
-				Options:     []string{define.TypeBind, "private", "rw"},
-			}
+	var systemdMnt spec.Mount
+	if hasCgroupNs {
+		systemdMnt = spec.Mount{
+			Destination: "/sys/fs/cgroup",
+			Type:        "cgroup",
+			Source:      "cgroup",
+			Options:     []string{"private", "rw"},
 		}
-		g.AddMount(systemdMnt)
 	} else {
-		hasSystemdMount := MountExists(mounts, "/sys/fs/cgroup/systemd")
-		if hasCgroupNs && !hasSystemdMount {
-			return errors.New("cgroup namespace is not supported with cgroup v1 and systemd mode")
-		}
-		mountOptions := []string{define.TypeBind, "rprivate"}
-
-		if !hasSystemdMount {
-			skipMount := hasSystemdMount
-			var statfs unix.Statfs_t
-			if err := unix.Statfs("/sys/fs/cgroup/systemd", &statfs); err != nil {
-				if errors.Is(err, os.ErrNotExist) {
-					// If the mount is missing on the host, we cannot bind mount it so
-					// just skip it.
-					skipMount = true
-				}
-				mountOptions = append(mountOptions, "nodev", "noexec", "nosuid")
-			} else {
-				if statfs.Flags&unix.MS_NODEV == unix.MS_NODEV {
-					mountOptions = append(mountOptions, "nodev")
-				}
-				if statfs.Flags&unix.MS_NOEXEC == unix.MS_NOEXEC {
-					mountOptions = append(mountOptions, "noexec")
-				}
-				if statfs.Flags&unix.MS_NOSUID == unix.MS_NOSUID {
-					mountOptions = append(mountOptions, "nosuid")
-				}
-				if statfs.Flags&unix.MS_RDONLY == unix.MS_RDONLY {
-					mountOptions = append(mountOptions, "ro")
-				}
-			}
-			if !skipMount {
-				systemdMnt := spec.Mount{
-					Destination: "/sys/fs/cgroup/systemd",
-					Type:        define.TypeBind,
-					Source:      "/sys/fs/cgroup/systemd",
-					Options:     mountOptions,
-				}
-				g.AddMount(systemdMnt)
-				g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent")
-			}
+		systemdMnt = spec.Mount{
+			Destination: "/sys/fs/cgroup",
+			Type:        define.TypeBind,
+			Source:      "/sys/fs/cgroup",
+			Options:     []string{define.TypeBind, "private", "rw"},
 		}
 	}
+	g.AddMount(systemdMnt)
 
 	return nil
 }

libpod/info_linux.go

@@ -55,10 +55,7 @@ func (r *Runtime) setPlatformHostInfo(info *define.HostInfo) error {
 	}
 	info.Slirp4NetNS = define.SlirpInfo{}
 
-	cgroupVersion := "v1"
-	if unified {
-		cgroupVersion = "v2"
-	}
+	cgroupVersion := "v2"
 	info.CgroupsVersion = cgroupVersion
 
 	slirp4netnsPath := r.config.Engine.NetworkCmdPath

libpod/runtime_linux.go

@@ -17,14 +17,6 @@ import (
 
 func checkCgroups2UnifiedMode(runtime *Runtime) {
 	unified, _ := cgroups.IsCgroup2UnifiedMode()
-	// DELETE ON RHEL9
-	if !unified {
-		_, ok := os.LookupEnv("PODMAN_IGNORE_CGROUPSV1_WARNING")
-		if !ok {
-			logrus.Warn("Using cgroups-v1 which is deprecated in favor of cgroups-v2 with Podman v5 and will be removed in a future version. Set environment variable `PODMAN_IGNORE_CGROUPSV1_WARNING` to hide this warning.")
-		}
-	}
-	// DELETE ON RHEL9
 
 	if unified && rootless.IsRootless() && !systemd.IsSystemdSessionValid(rootless.GetRootlessUID()) {
 		// If user is rootless and XDG_RUNTIME_DIR is found, podman will not proceed with /tmp directory

pkg/specgen/generate/validate_linux.go

@@ -3,171 +3,14 @@
 package generate
 
 import (
-	"errors"
-	"fmt"
 	"os"
 	"path/filepath"
-	"reflect"
 
-	"github.com/containers/podman/v5/pkg/rootless"
 	"github.com/containers/podman/v5/pkg/specgen"
-	"github.com/opencontainers/runtime-spec/specs-go"
 	"go.podman.io/common/pkg/cgroups"
-	"go.podman.io/common/pkg/sysinfo"
 	"go.podman.io/storage/pkg/fileutils"
 )
 
-// Verify resource limits are sanely set when running on cgroup v1.
-func verifyContainerResourcesCgroupV1(s *specgen.SpecGenerator) ([]string, error) {
-	warnings := []string{}
-
-	sysInfo := sysinfo.New(true)
-
-	// If ResourceLimits is nil, return without warning
-	resourceNil := &specgen.SpecGenerator{}
-	resourceNil.ResourceLimits = &specs.LinuxResources{}
-	if s.ResourceLimits == nil || reflect.DeepEqual(s.ResourceLimits, resourceNil.ResourceLimits) {
-		return nil, nil
-	}
-
-	// Cgroups V1 rootless system does not support Resource limits
-	if rootless.IsRootless() {
-		s.ResourceLimits = nil
-		return []string{"Resource limits are not supported and ignored on cgroups V1 rootless systems"}, nil
-	}
-
-	if s.ResourceLimits.Unified != nil {
-		return nil, errors.New("cannot use --cgroup-conf without cgroup v2")
-	}
-
-	// Memory checks
-	if s.ResourceLimits.Memory != nil {
-		memory := s.ResourceLimits.Memory
-		if memory.Limit != nil && !sysInfo.MemoryLimit {
-			warnings = append(warnings, "Your kernel does not support memory limit capabilities or the cgroup is not mounted. Limitation discarded.")
-			memory.Limit = nil
-			memory.Swap = nil
-		}
-		if memory.Limit != nil && memory.Swap != nil && !sysInfo.SwapLimit {
-			warnings = append(warnings, "Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.")
-			memory.Swap = nil
-		}
-		if memory.Limit != nil && memory.Swap != nil && *memory.Swap < *memory.Limit {
-			return warnings, errors.New("minimum memoryswap limit should be larger than memory limit, see usage")
-		}
-		if memory.Limit == nil && memory.Swap != nil {
-			return warnings, errors.New("you should always set a memory limit when using a memoryswap limit, see usage")
-		}
-		if memory.Swappiness != nil {
-			if !sysInfo.MemorySwappiness {
-				warnings = append(warnings, "Your kernel does not support memory swappiness capabilities, or the cgroup is not mounted. Memory swappiness discarded.")
-				memory.Swappiness = nil
-			} else if *memory.Swappiness > 100 {
-				return warnings, fmt.Errorf("invalid value: %v, valid memory swappiness range is 0-100", *memory.Swappiness)
-			}
-		}
-		if memory.Reservation != nil && !sysInfo.MemoryReservation {
-			warnings = append(warnings, "Your kernel does not support memory soft limit capabilities or the cgroup is not mounted. Limitation discarded.")
-			memory.Reservation = nil
-		}
-		if memory.Limit != nil && memory.Reservation != nil && *memory.Limit < *memory.Reservation {
-			return warnings, errors.New("minimum memory limit cannot be less than memory reservation limit, see usage")
-		}
-		if memory.DisableOOMKiller != nil && *memory.DisableOOMKiller && !sysInfo.OomKillDisable {
-			warnings = append(warnings, "Your kernel does not support OomKillDisable. OomKillDisable discarded.")
-			memory.DisableOOMKiller = nil
-		}
-	}
-
-	// Pids checks
-	if s.ResourceLimits.Pids != nil {
-		// TODO: Should this be 0, or checking that ResourceLimits.Pids
-		// is set at all?
-		if s.ResourceLimits.Pids.Limit >= 0 && !sysInfo.PidsLimit {
-			warnings = append(warnings, "Your kernel does not support pids limit capabilities or the cgroup is not mounted. PIDs limit discarded.")
-			s.ResourceLimits.Pids = nil
-		}
-	}
-
-	// CPU checks
-	if s.ResourceLimits.CPU != nil {
-		cpu := s.ResourceLimits.CPU
-		if cpu.Shares != nil && !sysInfo.CPUShares {
-			warnings = append(warnings, "Your kernel does not support CPU shares or the cgroup is not mounted. Shares discarded.")
-			cpu.Shares = nil
-		}
-		if cpu.Period != nil && !sysInfo.CPUCfsPeriod {
-			warnings = append(warnings, "Your kernel does not support CPU cfs period or the cgroup is not mounted. Period discarded.")
-			cpu.Period = nil
-		}
-		if cpu.Period != nil && (*cpu.Period < 1000 || *cpu.Period > 1000000) {
-			return warnings, errors.New("CPU cfs period cannot be less than 1ms (i.e. 1000) or larger than 1s (i.e. 1000000)")
-		}
-		if cpu.Quota != nil && !sysInfo.CPUCfsQuota {
-			warnings = append(warnings, "Your kernel does not support CPU cfs quota or the cgroup is not mounted. Quota discarded.")
-			cpu.Quota = nil
-		}
-		if cpu.Quota != nil && *cpu.Quota < 1000 {
-			return warnings, errors.New("CPU cfs quota cannot be less than 1ms (i.e. 1000)")
-		}
-		if (cpu.Cpus != "" || cpu.Mems != "") && !sysInfo.Cpuset {
-			warnings = append(warnings, "Your kernel does not support cpuset or the cgroup is not mounted. CPUset discarded.")
-			cpu.Cpus = ""
-			cpu.Mems = ""
-		}
-
-		cpusAvailable, err := sysInfo.IsCpusetCpusAvailable(cpu.Cpus)
-		if err != nil {
-			return warnings, fmt.Errorf("invalid value %s for cpuset cpus", cpu.Cpus)
-		}
-		if !cpusAvailable {
-			return warnings, fmt.Errorf("requested CPUs are not available - requested %s, available: %s", cpu.Cpus, sysInfo.Cpus)
-		}
-
-		memsAvailable, err := sysInfo.IsCpusetMemsAvailable(cpu.Mems)
-		if err != nil {
-			return warnings, fmt.Errorf("invalid value %s for cpuset mems", cpu.Mems)
-		}
-		if !memsAvailable {
-			return warnings, fmt.Errorf("requested memory nodes are not available - requested %s, available: %s", cpu.Mems, sysInfo.Mems)
-		}
-	}
-
-	// Blkio checks
-	if s.ResourceLimits.BlockIO != nil {
-		blkio := s.ResourceLimits.BlockIO
-		if blkio.Weight != nil && !sysInfo.BlkioWeight {
-			warnings = append(warnings, "Your kernel does not support Block I/O weight or the cgroup is not mounted. Weight discarded.")
-			blkio.Weight = nil
-		}
-		if blkio.Weight != nil && (*blkio.Weight > 1000 || *blkio.Weight < 10) {
-			return warnings, errors.New("range of blkio weight is from 10 to 1000")
-		}
-		if len(blkio.WeightDevice) > 0 && !sysInfo.BlkioWeightDevice {
-			warnings = append(warnings, "Your kernel does not support Block I/O weight_device or the cgroup is not mounted. Weight-device discarded.")
-			blkio.WeightDevice = nil
-		}
-		if len(blkio.ThrottleReadBpsDevice) > 0 && !sysInfo.BlkioReadBpsDevice {
-			warnings = append(warnings, "Your kernel does not support BPS Block I/O read limit or the cgroup is not mounted. Block I/O BPS read limit discarded")
-			blkio.ThrottleReadBpsDevice = nil
-		}
-		if len(blkio.ThrottleWriteBpsDevice) > 0 && !sysInfo.BlkioWriteBpsDevice {
-			warnings = append(warnings, "Your kernel does not support BPS Block I/O write limit or the cgroup is not mounted. Block I/O BPS write limit discarded.")
-			blkio.ThrottleWriteBpsDevice = nil
-		}
-		if len(blkio.ThrottleReadIOPSDevice) > 0 && !sysInfo.BlkioReadIOpsDevice {
-			warnings = append(warnings, "Your kernel does not support IOPS Block read limit or the cgroup is not mounted. Block I/O IOPS read limit discarded.")
-			blkio.ThrottleReadIOPSDevice = nil
-		}
-		if len(blkio.ThrottleWriteIOPSDevice) > 0 && !sysInfo.BlkioWriteIOpsDevice {
-			warnings = append(warnings, "Your kernel does not support IOPS Block I/O write limit or the cgroup is not mounted. Block I/O IOPS write limit discarded.")
-			blkio.ThrottleWriteIOPSDevice = nil
-		}
-	}
-
-	return warnings, nil
-}
-
 // Verify resource limits are sanely set when running on cgroup v2.
 func verifyContainerResourcesCgroupV2(s *specgen.SpecGenerator) ([]string, error) {
 	warnings := []string{}
@@ -225,12 +68,9 @@ func verifyContainerResourcesCgroupV2(s *specgen.SpecGenerator) ([]string, error
 // Verify resource limits are sanely set, removing any limits that are not
 // possible with the current cgroups config.
 func verifyContainerResources(s *specgen.SpecGenerator) ([]string, error) {
-	cgroup2, err := cgroups.IsCgroup2UnifiedMode()
+	_, err := cgroups.IsCgroup2UnifiedMode()
 	if err != nil {
 		return []string{}, err
 	}
-	if cgroup2 {
-		return verifyContainerResourcesCgroupV2(s)
-	}
-	return verifyContainerResourcesCgroupV1(s)
+	return verifyContainerResourcesCgroupV2(s)
 }