Docs: rootless Podman resource limits (cgroups v2) and socket safety

What does this MR do and why?

The Use Podman to run Docker commands section walks through a rootless Podman setup but does not mention resource limits, which behave differently under rootless Podman than under Docker.

This MR adds three things to that section:

  1. Resource limits require cgroups v2. Container resource limits set in [runners.docker] (memory, memory_swap, cpus) are enforced by rootless Podman only under the cgroups v2 hierarchy with the systemd cgroup manager, which is the default on current releases. On the legacy cgroups v1 hierarchy, rootless Podman silently ignores them and the job runs unconstrained, so a single job can exhaust host memory or CPU.
  2. Do not mount the Podman socket into jobs. Mounting the socket into a job container returns the host-engine privilege that rootless Podman exists to remove.
  3. Ephemeral-vs-static cross-link to the runner security guidance.

Validated on a RHEL-family host (AlmaLinux 9): under cgroups v2 a --memory limit is enforced, while on the v1 hierarchy Podman logs Resource limits are not supported and ignored on cgroups V1 rootless systems and the limit is not applied.

Related issues: #27119 (closed) (Podman GA; docs assume a static host), #28815 (closed) (rootless hang on RHEL/CentOS 8), #29480 (closed) (rootless services + FF_NETWORK_PER_BUILD).

Merge request reports

Loading