Antonio Murdaca
GitHub
commit
17584facf0
8 changed files with 81 additions and 1 deletions
|
|
@ -43,6 +43,12 @@ const (
|
|||
ImageVolumesIgnore ImageVolumesType = "ignore"
|
||||
)
|
||||
|
||||
const (
|
||||
// DefaultPidsLimit is the default value for maximum number of processes
|
||||
// allowed inside a container
|
||||
DefaultPidsLimit = 1024
|
||||
)
|
||||
|
||||
// This structure is necessary to fake the TOML tables when parsing,
|
||||
// while also not requiring a bunch of layered structs for no good
|
||||
// reason.
|
||||
|
|
@ -133,6 +139,10 @@ type RuntimeConfig struct {
|
|||
// CgroupManager is the manager implementation name which is used to
|
||||
// handle cgroups for containers.
|
||||
CgroupManager string `toml:"cgroup_manager"`
|
||||
|
||||
// PidsLimit is the number of processes each container is restricted to
|
||||
// by the cgroup process number controller.
|
||||
PidsLimit int64 `toml:"pids_limit"`
|
||||
}
|
||||
|
||||
// ImageConfig represents the "crio.image" TOML config table.
|
||||
|
|
@ -261,6 +271,7 @@ func DefaultConfig() *Config {
|
|||
SeccompProfile: seccompProfilePath,
|
||||
ApparmorProfile: apparmorProfileName,
|
||||
CgroupManager: cgroupManager,
|
||||
PidsLimit: DefaultPidsLimit,
|
||||
},
|
||||
ImageConfig: ImageConfig{
|
||||
DefaultTransport: defaultTransport,
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ import (
|
|||
"github.com/kubernetes-incubator/cri-o/server/apparmor"
|
||||
"github.com/kubernetes-incubator/cri-o/server/seccomp"
|
||||
"github.com/opencontainers/image-spec/specs-go/v1"
|
||||
"github.com/opencontainers/runc/libcontainer/cgroups"
|
||||
"github.com/opencontainers/runc/libcontainer/devices"
|
||||
"github.com/opencontainers/runc/libcontainer/user"
|
||||
rspec "github.com/opencontainers/runtime-spec/specs-go"
|
||||
|
|
@ -323,6 +324,9 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
return nil, err
|
||||
}
|
||||
|
||||
// Add cgroup mount so container process can introspect its own limits
|
||||
specgen.AddCgroupsMount("ro")
|
||||
|
||||
if err := addDevices(sb, containerConfig, &specgen); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -673,6 +677,12 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
}
|
||||
}
|
||||
|
||||
// Set up pids limit if pids cgroup is mounted
|
||||
_, err = cgroups.FindCgroupMountpoint("pids")
|
||||
if err == nil {
|
||||
specgen.SetLinuxResourcesPidsLimit(s.config.PidsLimit)
|
||||
}
|
||||
|
||||
// by default, the root path is an empty string. set it now.
|
||||
specgen.SetRootPath(mountPoint)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue