Add --cgroup-conf option to run subcommand

Signed-off-by: Fabio Falzoi <[email protected]>

Author: pippolo84

README.md

@@ -310,6 +310,7 @@ Cgroup flags:
 - :whale: `--cpuset-cpus`: CPUs in which to allow execution (0-3, 0,1)
 - :whale: `--memory`: Memory limit
 - :whale: `--pids-limit`: Tune container pids limit
+- :nerd_face: `--cgroup-conf`: Configure cgroup v2 (key=value)
 - :whale: `--cgroupns=(host|private)`: Cgroup namespace to use
   - Default: "private" on cgroup v2 hosts, "host" on cgroup v1 hosts
 - :whale: `--device`: Add a host device to the container

cmd/nerdctl/run.go

@@ -134,6 +134,7 @@ func newRunCommand() *cobra.Command {
 		return []string{"host"}, cobra.ShellCompDirectiveNoFileComp
 	})
 	runCommand.Flags().Int("pids-limit", -1, "Tune container pids limit (set -1 for unlimited)")
+	runCommand.Flags().StringSlice("cgroup-conf", nil, "Configure cgroup v2 (key=value)")
 	runCommand.Flags().String("cgroupns", defaults.CgroupnsMode(), `Cgroup namespace to use, the default depends on the cgroup version ("host"|"private")`)
 	runCommand.RegisterFlagCompletionFunc("cgroupns", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		return []string{"host", "private"}, cobra.ShellCompDirectiveNoFileComp

cmd/nerdctl/run_cgroup_linux.go

@@ -17,12 +17,15 @@
 package main
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"path/filepath"
 	"strings"
 
+	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/oci"
+	"github.com/containerd/nerdctl/pkg/infoutil"
 	"github.com/containerd/nerdctl/pkg/rootlessutil"
 	"github.com/docker/go-units"
 	"github.com/opencontainers/runtime-spec/specs-go"
@@ -112,6 +115,24 @@ func generateCgroupOpts(cmd *cobra.Command, id string) ([]oci.SpecOpts, error) {
 		opts = append(opts, oci.WithPidsLimit(int64(pidsLimit)))
 	}
 
+	cgroupConf, err := cmd.Flags().GetStringSlice("cgroup-conf")
+	if err != nil {
+		return nil, err
+	}
+	if len(cgroupConf) > 0 && infoutil.CgroupsVersion() == "1" {
+		return nil, errors.New("cannot use --cgroup-conf without cgroup v2")
+	}
+
+	unifieds := make(map[string]string)
+	for _, unified := range cgroupConf {
+		splitUnified := strings.SplitN(unified, "=", 2)
+		if len(splitUnified) < 2 {
+			return nil, errors.New("--cgroup-conf must be formatted KEY=VALUE")
+		}
+		unifieds[splitUnified[0]] = splitUnified[1]
+	}
+	opts = append(opts, withUnified(unifieds))
+
 	cgroupns, err := cmd.Flags().GetString("cgroupns")
 	if err != nil {
 		return nil, err
@@ -190,3 +211,16 @@ func validateDeviceMode(mode string) error {
 	}
 	return nil
 }
+
+func withUnified(unified map[string]string) oci.SpecOpts {
+	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) (err error) {
+		if unified == nil {
+			return nil
+		}
+		s.Linux.Resources.Unified = make(map[string]string)
+		for k, v := range unified {
+			s.Linux.Resources.Unified[k] = v
+		}
+		return nil
+	}
+}

cmd/nerdctl/run_test.go

@@ -27,6 +27,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/containerd/cgroups"
 	"github.com/containerd/nerdctl/pkg/testutil"
 
 	"gotest.tools/v3/assert"
@@ -198,6 +199,16 @@ func TestRunPidHost(t *testing.T) {
 	base.Cmd("run", "--rm", "--pid=host", testutil.AlpineImage, "ps", "auxw").AssertOutContains(strconv.Itoa(pid))
 }
 
+func TestRunCgroupConf(t *testing.T) {
+	if cgroups.Mode() != cgroups.Unified {
+		t.Skip("test requires cgroup v2")
+	}
+	base := testutil.NewBase(t)
+
+	base.Cmd("run", "--rm", "--cgroup-conf", "memory.high=33554432", testutil.AlpineImage,
+		"sh", "-ec", "cd /sys/fs/cgroup && cat memory.high").AssertOutContains("33554432")
+}
+
 func TestRunAddHost(t *testing.T) {
 	base := testutil.NewBase(t)
 	base.Cmd("run", "--rm", "--add-host", "testing.example.com:10.0.0.1", testutil.AlpineImage, "sh", "-c", "cat /etc/hosts").AssertOutWithFunc(func(stdout string) error {