Podman in Podman (PINP) Nested cgroupv2 Delegation

[RaubCamaioni]

Looking for context if nested hierarchical cgroupv2 resource allocation in podman in podman is possible?
I am using podman to sandbox user submitted code and would like to containerize the entire application.

---

Current state of rootless PINP cgroupv2.

Rootless PINP is working.
The below guides work as of April 21, 2025.
Rootless podman in podman: https://www.redhat.com/en/blog/podman-inside-container
Rootless podman: https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md
Allow cpuset flag on rootless containers: https://rootlesscontaine.rs/getting-started/common/cgroup2/

Attempting to get nested cgroupv2 cpuset restrictions working in PINP.
I lack full stack understanding of podman cgroupv2 interactions.

Rebuilding the container located at https://github.com/containers/image_build/tree/main/podman
used to build the quay.io/podman/stable container for the PINP tutorial.

I changed the containers.conf to allow cgroups="private" and cgroups="enabled", previously set to cgroups="host".

# containers.conf
[containers]
netns="host"
userns="host"
ipcns="host"
utsns="host"
cgroupns="private"
cgroups="enabled"
log_driver = "k8s-file"
[engine]
cgroup_manager = "cgroupfs"
events_logger="file"
runtime="crun"

podman build -t pinp .

Hyper-V: Virtual Machine
Host System: Fedora release 42 (Adams)
podman version 5.4.2

Running the following command: The cgroup flags are probably redundant.

# external container --cpuset-cpus 0,1,2
# internal container --cpuset-cpus 0
podman run --rm -it \
	--security-opt label=disable \
	--user podman \
	--cpuset-cpus 0,1,2 \
	--cgroups=enabled \
	--cgroupns="private" \
	pinp \
		podman run --rm -it \
		--cpuset-cpus 0 \
		--cgroups=enabled \
		--cgroupns="private" \
		ubuntu

# shows external cgroupv2 settings
# "stress -c 3" confirms restriction for internal container is not functioning
$ cat /sys/fs/cgroup/cpuset.cpus.effective
0-2

I am currently diving into cgroupv2 interaction with systemd, cgroup delegation, and podman.
I believe it should be possible to have nested cgroup delegation in rootless containers.
Allowing hierarchical resource allocation between nested containers.

Has anyone preformed nested cgroupv2 restrictions?
Perhaps this is a bad idea?
I am also trying to get isolate to work inside podman, relying on nested cgroupv2 restrictions.

[RaubCamaioni]

I have a "rootfull" implementation partially working.
Note sure yet if this is preforming cgroupv2 delegation or adding a new container through systemd cgroupv2 at the same level as the parent container.
I believe podman requires cgroupv2 restrictions through systemd, so systemd must be present for any cgroupv2 related flag to work.

# running rootfull podman container with systemd enabled
sudo podman run --rm -it \
	--name pinp \
	--privileged \
	--security-opt label=disable \
	--device /dev/fuse \
	--cpuset-cpus 0,1,2 \
	pinp \
	/sbin/init
cat /sys/fs/cgroup/cpuset.cpus.effective
0-2

# running rootless podman inside of rootful podman with different cgroupv2 cpuset
podman run --rm -it \
	--cpuset-cpus 0 \
	--security-opt label=disable \
	ubuntu \
	cat /sys/fs/cgroup/cpuset.cpus.effective
/sys/fs/cgroup# cat cpuset.cpus.effective
0

---

edit

# list all cpuset.cpus.effective rootfull cgroupv2 delegation
find /sys/fs/cgroup/machine.slice -type f -name cpuset.cpus.effective -exec sh -c 'printf "%s: ", "{}"; cat "{}"' \;

Looks like it is a delegation / nested cgroup instance.

./libpod-2903e8735ce975d4201e3938217616e30b6c2d0056a0f18fa9a8cfe0a2cc0064.scope/cpuset.cpus.effective ---
0-2

cat ./libpod-2903e8735ce975d4201e3938217616e30b6c2d0056a0f18fa9a8cfe0a2cc0064.scope/container/libpod_parent/libpod-af700f3f9e4407ce301357385bd3288bd05217ea6d35527dbd2cdbf8560aa0ef/cpuset.cpus.effective ---
0

Just need to figure out if systemd can be utalized in rootless mode.