set default CgroupParent in containers.conf

[PiotrBzdrega]

I'm using podman 5.3.0 with cgroup v2 but without systemd.

I have created rootless cgroup "user" equipped with all needed controllers inherited from main cgroup:

[17:10][selkie@buildroot][/sys/fs/cgroup] $ ls
cgroup.controllers      cgroup.procs            cgroup.threads          cpu.stat                user
cgroup.max.depth        cgroup.stat             cpuset.cpus.effective   io.stat
cgroup.max.descendants  cgroup.subtree_control  cpuset.mems.effective   memory.stat

I would like to assign every new created container (by default) to my CgroupParent that can be set in containers.conf (not yet available option)

Currently i'm able to do it only using cli with 'run' :
podman run -it --cgroup-parent=user ubuntu sh

If additional parameter in .conf is not an option for us,
could you explain how could i make use of 'cgroups = "disabled"' without specifying what is my parent group 🤔 ?

# Control container cgroup configuration
# Determines  whether  the  container will create CGroups.
# Options are:
# `enabled`   Enable cgroup support within container
# `disabled`  Disable cgroup support, will inherit cgroups from parent
# `no-conmon` Do not create a cgroup dedicated to conmon.
#
cgroups = "disabled"

[15:21][selkie@buildroot][/sys/fs/cgroup] $ podman info
host:
  arch: arm
  buildahVersion: 1.38.0
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - pids
  - rdma
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: Unknown
    path: /mnt/docker/usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 93.95
    systemPercent: 3.85
    userPercent: 2.2
  cpus: 2
  databaseBackend: sqlite
  distribution:
    distribution: buildroot
    version: 2024.02.7
  eventLogger: file
  freeLocks: 2047
  hostname: buildroot
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 10010
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 10010
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.10.226-mikronika
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 46006272
  memTotal: 512520192
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
      path: /mnt/docker/usr/bin/aardvark-dns
      version: aardvark-dns 1.13.0
    package: Unknown
    path: /mnt/docker/usr/bin/netavark
    version: netavark 1.13.0
  ociRuntime:
    name: crun
    package: Unknown
    path: /mnt/docker/usr/bin/crun
    version: |-
      crun version 1.18.2
      commit: 00ab38af875ddd0d1a8226addda52e1de18339b5
      rundir: /run/user/10010/crun
      spec: 1.0.0
      +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    exists: true
    path: /run/user/10010/podman/podman.sock
  rootlessNetworkCmd: slirp4netns
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /mnt/nvm/selkie/.config/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /mnt/docker/usr/bin/slirp4netns
    package: Unknown
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 0
  swapTotal: 0
  uptime: 1h 14m 57.00s (Approximately 0.04 days)
  variant: v7
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  mik-git.mikronika.com.pl:
    Blocked: false
    Insecure: false
    Location: mik-git.mikronika.com.pl/piotrbz
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: mik-git.mikronika.com.pl
    PullFromMirror: ""
  search:
  - mik-git.mikronika.com.pl
  - docker.io
store:
  configFile: /mnt/nvm/selkie/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: Unknown
      Version: |-
        fusermount3 version: 3.16.2
        fuse-overlayfs: version 1.11
        FUSE library version 3.16.2
        using FUSE kernel interface version 7.38
  graphRoot: /mnt/nvm/selkie/.local/share/containers/storage
  graphRootAllocated: 4311089152
  graphRootUsed: 134688768
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /mnt/nvm/selkie/tmp_storage
  imageStore:
    number: 1
  runRoot: /run/user/10010/containers
  transientStore: false
  volumePath: /mnt/nvm/selkie/.local/share/containers/storage/volumes
version:
  APIVersion: 5.3.0
  Built: 0
  BuiltTime: Thu Jan  1 01:00:00 1970
  GitCommit: ""
  GoVersion: go1.22.7
  Os: linux
  OsArch: linux/arm
  Version: 5.3.0

[giuseppe]

If additional parameter in .conf is not an option for us, could you explain how could i make use of 'cgroups = "disabled"' without specifying what is my parent group 🤔 ?

you could move the current process to the target cgroup, and then use --cgroups=disabled to reuse it

[PiotrBzdrega]

Thank you @giuseppe , i will test it
edited:
Looks like for now i will stick with cgroups = "disabled".
In my case i use libcgroup to delegate all processes runs by one user to given cgroup.

Even though my case is solved, i will leave this issue opened, maybe somebody will find time to create PR
I see this quite convenient to have all containers/pods in one cgroup by indicating in containers.conf something like cgroup-parent="user" without explicitly pointing this every time in cli command.