podman: cgroup is not displayed as shared namespace in pod inspection

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

podman help pod create displays cgroup as one of default values of --share flag, which specifies shared namespaces in a pod. However, cgroup is not listed in SharedNameSpaces of a pod with default values. Even if cgroup is explicitly specified in --share flag, cgroup is not listed in a result of podman pod inspect and actually containers in a pod don’t share a cgroup namespace. Regarding other options for --share such as ipc and net, specified values to --share are displayed as SharedNameSpaces in podman pod inspect.

In the source code, there are two similar parameters for cgroups in a pod. When cgroup is specified in --share, PodConfig.UsePodCgroup is set to true. For SharedNameSpaces in pod inspection, PodConfig.UsePodCgroupNS is referred to. There are two resources shared in a pod regarding cgroup, a cgroup parent and a cgroup namespace:

• When PodConfig.UsePodCgroup is true, a cgroup parent is shared in a pod, so that all containers in the pod have the same cgroup parent.
• If PodConfig.UsePodCgroupNS is true, a cgroup namespace is shared in a pod, so that all containers in the pod join the same cgroup namespace though this flag is currently never set.

There are some options for the issue:

• Just add a note to documentation.
• Share a cgroup parent as the current behavior and fix to display cgroup in SharedNameSpaces in podman pod inspect based on PodConfig.UsePodCgroup. Another change is required if it is necessary to share a cgroup namespace, which is currently not shared.
• Fix to share a cgroup namespace by setting PodConfig.UsePodCgroupNS. Another fix is required for sharing a cgroup parent.

Steps to reproduce the issue:

1. Confirm the default shared namespaces in a pod:

$ podman pod create --help

Create a new empty pod

Description:
  After creating the pod, the pod ID is printed to stdout.
<snip>
     --share string                  A comma delimited list of kernel namespaces the pod will share (default "cgroup,ipc,net,uts")
<snip>

1. Create a pod:

$ podman pod create --name testpod

1. Inspect shared namespaces of the created pod:

$ podman pod inspect --format '{{.SharedNamespaces}}' testpod

Describe the results you received:

“cgroup” is not included in the result:

$ podman pod inspect --format '{{.SharedNamespaces}}' testpod
[net uts ipc]

Describe the results you expected:

“cgroup” is included in the result:

$ podman pod inspect --format '{{.SharedNamespaces}}' testpod
[cgroup net uts ipc]

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:      3.4.2
API Version:  3.4.2
Go Version:   go1.16.8
Built:        Fri Nov 12 15:25:37 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.23.1
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.30-2.fc35.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.30, commit: '
  cpus: 8
  distribution:
    distribution: fedora
    variant: workstation
    version: "35"
  eventLogger: journald
  hostname: laptop
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.15.7-200.fc35.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 2182692864
  memTotal: 16295391232
  ociRuntime:
    name: crun
    package: crun-1.3-1.fc35.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.3
      commit: 8e5757a4e68590326dafe8a8b1b4a584b10a1370
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.12-2.fc35.x86_64
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.3
  swapFree: 8587571200
  swapTotal: 8589930496
  uptime: 13h 58m 30.75s (Approximately 0.54 days)
plugins:
  log:
  - k8s-file
  - none
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/user/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.7.1-2.fc35.x86_64
      Version: |-
        fusermount3 version: 3.10.5
        fuse-overlayfs: version 1.7.1
        FUSE library version 3.10.5
        using FUSE kernel interface version 7.31
  graphRoot: /home/user/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 12
  runRoot: /run/user/1000/containers
  volumePath: /home/user/.local/share/containers/storage/volumes
version:
  APIVersion: 3.4.2
  Built: 1636748737
  BuiltTime: Fri Nov 12 15:25:37 2021
  GitCommit: ""
  GoVersion: go1.16.8
  OsArch: linux/amd64
  Version: 3.4.2

Package info (e.g. output of rpm -q podman or apt list podman):

podman-3.4.2-1.fc35.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):