Add support to run with podman in rootless mode using cgroups v2 (#1084)

* Update docs with steps to use podman with cgroups (v2) * Fix parse IP address to work with podman
2 years ago · b15940b5d8
parent 90c19610ba
commit b15940b5d8
2 changed files with 44 additions and 5 deletions
--- a/docs/usage/advanced/podman.md
+++ b/docs/usage/advanced/podman.md
@ -48,6 +48,26 @@ export DOCKER_SOCK=$XDG_RUNTIME_DIR/podman/podman.sock
 k3d cluster create
 ```

+#### Using cgroup (v2)
+
+By default, a non-root user can only get memory controller and pids controller to be delegated.
+
+To run properly we need to enable CPU, CPUSET, and I/O delegation
+
+!!! note "Make sure you're running cgroup v2"
+    If `/sys/fs/cgroup/cgroup.controllers` is present on your system, you are using v2, otherwise you are using v1.
+
+```bash
+mkdir -p /etc/systemd/system/user@.service.d
+cat > /etc/systemd/system/user@.service.d/delegate.conf <<EOF
+[Service]
+Delegate=cpu cpuset io memory pids
+EOF
+systemctl daemon-reload
+```
+
+Reference: [https://rootlesscontaine.rs/getting-started/common/cgroup2/#enabling-cpu-cpuset-and-io-delegation](https://rootlesscontaine.rs/getting-started/common/cgroup2/#enabling-cpu-cpuset-and-io-delegation)
+
 ### Using remote Podman

 [Start Podman on the remote host](https://github.com/containers/podman/blob/main/docs/tutorials/remote_client.md), and then set `DOCKER_HOST` when running k3d:
@ -77,3 +97,4 @@ k3d cluster create --registry-use mycluster-registry mycluster

 !!! note "Missing cpuset cgroup controller"
    If you experince an error regarding missing cpuset cgroup controller, ensure the user unit `xdg-document-portal.service` is disabled by running `systemctl --user stop xdg-document-portal.service`. See [this issue](https://github.com/systemd/systemd/issues/18293#issuecomment-831397578)
+
--- a/pkg/runtimes/docker/network.go
+++ b/pkg/runtimes/docker/network.go
@ -91,11 +91,11 @@ func (d Docker) GetNetwork(ctx context.Context, searchNet *k3d.ClusterNetwork) (

 		for _, container := range targetNetwork.Containers {
 			if container.IPv4Address != "" {
-				prefix, err := netaddr.ParseIPPrefix(container.IPv4Address)
+				ipAddr, err := parseIPAddress(container.IPv4Address)
 				if err != nil {
-					return nil, fmt.Errorf("failed to parse IP of container %s: %w", container.Name, err)
+					return nil, fmt.Errorf("failed to parse IP address of container %s: %w", container.Name, err)
 				}
-				network.IPAM.IPsUsed = append(network.IPAM.IPsUsed, prefix.IP())
+				network.IPAM.IPsUsed = append(network.IPAM.IPsUsed, ipAddr)
 			}
 		}

@ -110,13 +110,13 @@ func (d Docker) GetNetwork(ctx context.Context, searchNet *k3d.ClusterNetwork) (
 	}

 	for _, container := range targetNetwork.Containers {
-		prefix, err := netaddr.ParseIPPrefix(container.IPv4Address)
+		ipAddr, err := parseIPAddress(container.IPv4Address)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse IP Prefix of network \"%s\"'s member %s: %v", network.Name, container.Name, err)
 		}
 		network.Members = append(network.Members, &k3d.NetworkMember{
 			Name: container.Name,
-			IP:   prefix.IP(),
+			IP:   ipAddr,
 		})
 	}

@ -376,3 +376,21 @@ func (d Docker) parseIPAM(config network.IPAMConfig) (ipam k3d.IPAM, err error)

 	return
 }
+
+// parseIPAddress Returns an netaddr.IP by either receiving the IP address or IP CIDR notation. If the value
+// cannot be parsed, an error is returned
+func parseIPAddress(addr string) (netaddr.IP, error) {
+	if strings.Contains(addr, "/") {
+		prefix, err := netaddr.ParseIPPrefix(addr)
+		if err != nil {
+			return netaddr.IP{}, err
+		}
+		return prefix.IP(), nil
+	} else {
+		ipAddr, err := netaddr.ParseIP(addr)
+		if err != nil {
+			return netaddr.IP{}, err
+		}
+		return ipAddr, nil
+	}
+}