[CI:DOCS] Document how to enable CPU limit delegation #8134
Conversation
xordspar0
changed the title
|
Thanks @xordspar0 |
docs/source/markdown/podman-run.1.md
Outdated
| ## TROUBLESHOOTING | ||
|
|
||
| ### Rootless cgroups v2 CPU limits | ||
|
|
||
| On some systems, setting CPU limits such as **--cpu-quota** will fail with an | ||
| error similar to the following: | ||
|
|
||
| Error: opening file `cpu.max` for writing: Permission denied: OCI runtime permission denied error | ||
|
|
||
| This means that CPU limit delegation is not enabled for the current user. You | ||
| can verify by running the following command: | ||
|
|
||
| cat "/sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.controllers" | ||
|
|
||
| Example output might be: | ||
|
|
||
| memory pids | ||
|
|
||
| In the above example, `cpu` is not listed, which means the curent user does | ||
| not have permission to set CPU limits. | ||
|
|
||
| If you want to enable CPU limit delegation for all users, you can create the | ||
| file `/etc/systemd/system/user@.service.d/delegate.conf` with the contents: | ||
|
|
||
| [Service] | ||
| Delegate=memory pids cpu io | ||
|
|
||
| After logging out and loggin back in, you should have permission to set CPU | ||
| limits. | ||
|
|
There was a problem hiding this comment.
I think it is fine to have it documented only in troubleshooting.md
There was a problem hiding this comment.
Ok. What should be in the man pages? A note saying that if you have issues with setting limits you should check troubleshooting.md?
There was a problem hiding this comment.
yes, I'd just add a pointer to the troubleshooting.md page to avoid maintaining the same information in 3 different places
There was a problem hiding this comment.
Ok, that sounds good. Is troubleshooting.md hosted on the website or should I just link to https://github.com/containers/podman/blob/master/troubleshooting.md?
| ## TROUBLESHOOTING | ||
|
|
||
| ### Rootless cgroups v2 CPU limits | ||
|
|
||
| On some systems, setting CPU limits such as **--cpu-quota** will fail with an | ||
| error similar to the following: | ||
|
|
||
| Error: opening file `cpu.max` for writing: Permission denied: OCI runtime permission denied error | ||
|
|
||
| This means that CPU limit delegation is not enabled for the current user. You | ||
| can verify by running the following command: | ||
|
|
||
| cat "/sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.controllers" | ||
|
|
||
| Example output might be: | ||
|
|
||
| memory pids | ||
|
|
||
| In the above example, `cpu` is not listed, which means the curent user does | ||
| not have permission to set CPU limits. | ||
|
|
||
| If you want to enable CPU limit delegation for all users, you can create the | ||
| file `/etc/systemd/system/user@.service.d/delegate.conf` with the contents: | ||
|
|
||
| [Service] | ||
| Delegate=memory pids cpu io | ||
|
|
||
| After logging out and loggin back in, you should have permission to set CPU | ||
| limits. | ||
|
|
There was a problem hiding this comment.
same here, I think it is fine to have it documented only in troubleshooting.md
troubleshooting.md
Outdated
|
|
||
| ### 26) Running containers with CPU limits fails with a permissions error | ||
|
|
||
| On some systems, non-root users do not have CPU limit delegation permissions. |
There was a problem hiding this comment.
Could we be more specific here? We could say the issue happens with systemd as by default it doesn't enable all the available controllers for unprivileged users
There was a problem hiding this comment.
It's not all systems that have systemd. Fedora 33 does have CPU delegation enabled by default. It's really only systems that have cgroups v2 enabled but don't configure the delegations, which as far as I know is only Fedora 31 and 32. How specific should we be?
There was a problem hiding this comment.
the proposed solution works only on systems managed by systemd, that is why I was pointing out we could specify the issue is specific to systemd. Either way, it is just a nit, I am fine as it is now.
There was a problem hiding this comment.
I see. That makes sense.
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan, xordspar0 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
This adds documentation around the CPU limit delegation issue as discussed in #7959.