-
Story
-
Resolution: Done
-
Undefined
-
None
-
None
-
3
-
False
-
-
False
-
rhel-container-tools
-
-
[2996521630] Upstream Reporter: Jan Klička
Upstream issue status: Closed
Upstream description:
Issue Description
Hello, when I use the podman in rootless mode, and want to specify ulimit for cpu through the rest api, the limit gets ignored. When I use --ulimit cpu=10:10 in rootless mode on the CLI, the limit gets applied correctly. In rootful mode for rest api the ulimit gets applied. This leads me to believe the issue is connected with rootless and rest api.
Steps to reproduce the issue
I am running ubuntu 24.04 and podman v 4.9.3. To see if it happens on latest podman, these steps are using podman in container, but the same behaviour is observed on my system with just rootless podman.
This example shows failing use case:
podman run --privileged -u podman -it quay.io/podman/stable bash podman $LOGGING system service -t 0 tcp:0.0.0.0:8081 & # you might need to hit enter for the cmd prompt to appear podman --url tcp://127.0.0.1:8081 image pull alpine curl -X POST "http://localhost:8081/containers/create?name=test" -H "Content-Type: application/json" -d '{ "Image": "alpine", "Name": "test", "Cmd": ["sh", "-c", "ulimit -Ht"], "HostConfig": { "Ulimits": [ { "Name": "cpu", "Soft": 1, "Hard": 2 } ] } }' podman --url tcp://127.0.0.1:8081 inspect test #"Ulimits": [],As seen from the inspect command, Ulimits are empty. If I run this command instead of doing the http request podman --url tcp://127.0.0.1:8081 run -it --ulimit cpu=1:2 alpine sh -c "ulimit -Ht"
or start the podman as root (ie. without -u podman) podman run --privileged -it quay.io/podman/stable bash and then do the http request, the ulimits are applied correctly
"Ulimits": [ { "Name": "RLIMIT_CPU", "Soft": 1, "Hard": 2 }Describe the results you received
Using rootless mode and rest api, the ulimits are not applied
Describe the results you expected
Using rootless mode and rest api, the cpu limit should be applied the same way when passed on CLI --ulimit
podman info output
Output from my **local** podman with v4.9.3 host: arch: amd64 buildahVersion: 1.33.7 cgroupControllers: - cpu - memory - pids cgroupManager: systemd cgroupVersion: v2 conmon: package: Unknown path: /usr/local/libexec/podman/conmon version: 'conmon version 2.1.13, commit: 82de887596ed8ee6d9b2ee85e4f167f307bb569b' cpuUtilization: idlePercent: 99.87 systemPercent: 0.05 userPercent: 0.08 cpus: 4 databaseBackend: sqlite distribution: codename: noble distribution: ubuntu version: "24.04" eventLogger: journald freeLocks: 2030 hostname: server idMappings: gidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 100000 size: 65536 uidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 100000 size: 65536 kernel: 6.11.0-1012-azure linkmode: dynamic logDriver: journald memFree: 11403198464 memTotal: 16713166848 networkBackend: netavark networkBackendInfo: backend: netavark dns: package: aardvark-dns_1.4.0-5_amd64 path: /usr/lib/podman/aardvark-dns version: aardvark-dns 1.4.0 package: netavark_1.4.0-4_amd64 path: /usr/lib/podman/netavark version: netavark 1.4.0 ociRuntime: name: crun package: crun_1.14.1-1_amd64 path: /usr/bin/crun version: |- crun version 1.14.1 commit: de537a7965bfbe9992e2cfae0baeb56a08128171 rundir: /run/user/1000/crun spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +WASM:wasmedge +YAJL os: linux pasta: executable: /usr/bin/pasta package: passt_0.0~git20240220.1e6f92b-1_amd64 version: | pasta unknown version Copyright Red Hat GNU General Public License, version 2 or later <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. remoteSocket: exists: false path: /run/user/1000/podman/podman.sock security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT rootless: true seccompEnabled: true seccompProfilePath: /usr/share/containers/seccomp.json selinuxEnabled: false serviceIsRemote: false slirp4netns: executable: /usr/bin/slirp4netns package: slirp4netns_1.2.1-1build2_amd64 version: |- slirp4netns version 1.2.1 commit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194 libslirp: 4.7.0 SLIRP_CONFIG_VERSION_MAX: 4 libseccomp: 2.5.5 swapFree: 0 swapTotal: 0 uptime: 183h 57m 22.00s (Approximately 7.62 days) variant: "" plugins: authorization: null log: - k8s-file - none - passthrough - journald network: - bridge - macvlan - ipvlan volume: - local registries: {} store: configFile: /home/jan/.config/containers/storage.conf containerStore: number: 10 paused: 0 running: 0 stopped: 10 graphDriverName: overlay graphOptions: {} graphRoot: /home/jan/.local/share/containers/storage graphRootAllocated: 30084825088 graphRootUsed: 7610572800 graphStatus: Backing Filesystem: extfs Native Overlay Diff: "true" Supports d_type: "true" Supports shifting: "false" Supports volatile: "true" Using metacopy: "false" imageCopyTmpDir: /var/tmp imageStore: number: 2 runRoot: /run/user/1000/containers transientStore: false volumePath: /home/jan/.local/share/containers/storage/volumes version: APIVersion: 4.9.3 Built: 0 BuiltTime: Thu Jan 1 00:00:00 1970 GitCommit: "" GoVersion: go1.22.2 Os: linux OsArch: linux/amd64 Version: 4.9.3 podman info from **podman in container** host: arch: amd64 buildahVersion: 1.39.4 cgroupControllers: - cpu - memory - pids cgroupManager: cgroupfs cgroupVersion: v2 conmon: package: conmon-2.1.13-1.fc41.x86_64 path: /usr/bin/conmon version: 'conmon version 2.1.13, commit: ' cpuUtilization: idlePercent: 99.87 systemPercent: 0.06 userPercent: 0.08 cpus: 4 databaseBackend: sqlite distribution: distribution: fedora variant: container version: "41" eventLogger: file freeLocks: 2048 hostname: 001ec30a88b2 idMappings: gidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 1 size: 999 - container_id: 1000 host_id: 1001 size: 64535 uidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 1 size: 999 - container_id: 1000 host_id: 1001 size: 64535 kernel: 6.11.0-1012-azure linkmode: dynamic logDriver: k8s-file memFree: 11347324928 memTotal: 16713166848 networkBackend: netavark networkBackendInfo: backend: netavark dns: package: aardvark-dns-1.14.0-1.fc41.x86_64 path: /usr/libexec/podman/aardvark-dns version: aardvark-dns 1.14.0 package: netavark-1.14.1-1.fc41.x86_64 path: /usr/libexec/podman/netavark version: netavark 1.14.1 ociRuntime: name: crun package: crun-1.21-1.fc41.x86_64 path: /usr/bin/crun version: |- crun version 1.21 commit: 10269840aa07fb7e6b7e1acff6198692d8ff5c88 rundir: /tmp/storage-run-1000/crun spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL os: linux pasta: executable: /usr/bin/pasta package: passt-0^20250320.g32f6212-2.fc41.x86_64 version: "" remoteSocket: exists: true path: /tmp/storage-run-1000/podman/podman.sock rootlessNetworkCmd: pasta security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT rootless: true seccompEnabled: true seccompProfilePath: /usr/share/containers/seccomp.json selinuxEnabled: false serviceIsRemote: false slirp4netns: executable: "" package: "" version: "" swapFree: 0 swapTotal: 0 uptime: 188h 5m 28.00s (Approximately 7.83 days) variant: "" plugins: authorization: null log: - k8s-file - none - passthrough - journald network: - bridge - macvlan - ipvlan volume: - local registries: search: - registry.fedoraproject.org - registry.access.redhat.com - docker.io store: configFile: /home/podman/.config/containers/storage.conf containerStore: number: 0 paused: 0 running: 0 stopped: 0 graphDriverName: overlay graphOptions: {} graphRoot: /home/podman/.local/share/containers/storage graphRootAllocated: 30084825088 graphRootUsed: 7633362944 graphStatus: Backing Filesystem: extfs Native Overlay Diff: "true" Supports d_type: "true" Supports shifting: "false" Supports volatile: "true" Using metacopy: "false" imageCopyTmpDir: /var/tmp imageStore: number: 0 runRoot: /tmp/storage-run-1000/containers transientStore: false volumePath: /home/podman/.local/share/containers/storage/volumes version: APIVersion: 5.4.2 BuildOrigin: Fedora Project Built: 1743552000 BuiltTime: Wed Apr 2 00:00:00 2025 GitCommit: be85287fcf4590961614ee37be65eeb315e5d9ff GoVersion: go1.23.7 Os: linux OsArch: linux/amd64 Version: 5.4.2Podman in a container
Yes
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
This happens both on my local machine and Azure portal VM running ubuntu 24.04.
On my machines, I have podman version 4.9.2. The reproduction is using stable podman image with podman v5.4.2
Additional information
No response
Upstream URL: https://github.com/containers/podman/issues/25881
- links to
