From 6c591824285c3de26ec427ae5a7d2951406e437a Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Mon, 11 Jul 2022 16:16:06 +1000
Subject: [PATCH] Dockerfile: move into separate group when running under
 cgroupsv2

Per the comments in

 https://github.com/containers/podman/issues/14884

there is basically no way to run podman nested in the container in a
cgroups v2 environment (e.g. Ubuntu Jammy) with the processes in the
same context the container starts in.

One option is to run systemd in the container, which puts things in
separate slices, etc.  This is unappealing.

This takes what I think is the simplest approach which is to check if
we're under cgroups v2 and move everything into a new group before
nodepool-builder starts.

The referenced change tests this by running the containerfile elements
on Jammy.

Neded-By: https://review.opendev.org/c/openstack/diskimage-builder/+/849274

Change-Id: Ie663d01d77e17f560a92887cba1e2c86b421b24d
---
 Dockerfile | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 73fa3632d..0a756ae62 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -138,6 +138,13 @@ RUN \
   apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
+# NOTE(ianw) 2022-08-02 : move this into its own cgroup on cgroupsv2
+# hosts for nested podman calls to work; see comments in
+#  https://github.com/containers/podman/issues/14884
 CMD _DAEMON_FLAG=${DEBUG:+-d} && \
     _DAEMON_FLAG=${_DAEMON_FLAG:--f} && \
+    if [ -e /sys/fs/cgroup/cgroup.controllers ]; then \
+      sudo mkdir /sys/fs/cgroup/nodepool && \
+      for p in `cat /sys/fs/cgroup/cgroup.procs`; do echo $p | sudo tee /sys/fs/cgroup/nodepool/cgroup.procs || true; done \
+    fi; \
     /usr/local/bin/nodepool-builder ${_DAEMON_FLAG}