I have finally opened some PRs for conmon and libpod that enable resources management for Podman rootless containers on Fedora 30 when using crun. This builds on the cgroups v2 delegation support added to crun earlier: Fedora 30 ships a kernel and systemd new enough to support the unified cgroup hierarchy, so with a single kernel command-line option and a small systemd drop-in, unprivileged users can now set memory and CPU limits on their containers without root access.

The PRs are here:

The only change for the default Fedora 30 configuration is to enable the cgroup v2 unified hierarchy. It can be done with:

1

# grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=1"

and a reboot.

systemd by default enables only the pids and memory controllers for unprivileged users. If you want to enable more controllers, you need a drop-in configuration file under /etc/systemd/system/user@.service.d, that looks like:

1
2

[Service]
Delegate=cpu cpuacct io blkio memory devices pids

I’ve not found a way to enable the cpuset controller using only the systemd configuration. It must be done manually, or by providing a service file that writes directly to /sys/fs/cgroup/cgroup.subtree_control and /sys/fs/cgroup/user.slice/cgroup.subtree_control, and then make sure this setting is propagated to user@.service.d.

With the updated versions of crun, Podman and conmon:

1
2
3
4
5

$ podman --runtime /usr/local/bin/crun run  --memory=100M --rm -ti fedora bash
# cat /proc/self/cgroup 
0::/user.slice/user-1000.slice/user@1000.service/80adb7152d9f299cb7bfd383aa7ae2543534d7925c96d486f046e185d09d0946-39898.scope
# cat /sys/fs/cgroup//user.slice/user-1000.slice/user@1000.service/80adb7152d9f299cb7bfd383aa7ae2543534d7925c96d486f046e185d09d0946-39898.scope/memory.max
104857600