From e49dd346577a3511727236335e7ff6eb63be6264 Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Fri, 7 Jul 2017 14:43:35 -0700 Subject: [PATCH] Add support for container pids limit We add a daemon level setting and will add a container override once it is supported in CRI. Signed-off-by: Mrunal Patel --- cmd/crio/config.go | 3 +++ cmd/crio/main.go | 8 ++++++++ server/config.go | 11 +++++++++++ server/container_create.go | 7 +++++++ 4 files changed, 29 insertions(+) diff --git a/cmd/crio/config.go b/cmd/crio/config.go index 5d61a02e..bcd41042 100644 --- a/cmd/crio/config.go +++ b/cmd/crio/config.go @@ -98,6 +98,9 @@ apparmor_profile = "{{ .ApparmorProfile }}" # for the runtime. cgroup_manager = "{{ .CgroupManager }}" +# pids_limit is the number of processes allowed in a container +pids_limit = {{ .PidsLimit }} + # The "crio.image" table contains settings pertaining to the # management of OCI images. [crio.image] diff --git a/cmd/crio/main.go b/cmd/crio/main.go index 4f2460c0..09bac519 100644 --- a/cmd/crio/main.go +++ b/cmd/crio/main.go @@ -103,6 +103,9 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error { if ctx.GlobalIsSet("cgroup-manager") { config.CgroupManager = ctx.GlobalString("cgroup-manager") } + if ctx.GlobalIsSet("pids-limit") { + config.PidsLimit = ctx.GlobalInt64("pids-limit") + } if ctx.GlobalIsSet("cni-config-dir") { config.NetworkDir = ctx.GlobalString("cni-config-dir") } @@ -239,6 +242,11 @@ func main() { Name: "cgroup-manager", Usage: "cgroup manager (cgroupfs or systemd)", }, + cli.Int64Flag{ + Name: "pids-limit", + Value: server.DefaultPidsLimit, + Usage: "maximum number of processes allowed in a container", + }, cli.StringFlag{ Name: "cni-config-dir", Usage: "CNI configuration files directory", diff --git a/server/config.go b/server/config.go index 081dacdd..86c0a380 100644 --- a/server/config.go +++ b/server/config.go @@ -43,6 +43,12 @@ const ( ImageVolumesIgnore ImageVolumesType = "ignore" ) +const ( + // DefaultPidsLimit is the default value for maximum number of processes + // allowed inside a container + DefaultPidsLimit = 1024 +) + // This structure is necessary to fake the TOML tables when parsing, // while also not requiring a bunch of layered structs for no good // reason. @@ -133,6 +139,10 @@ type RuntimeConfig struct { // CgroupManager is the manager implementation name which is used to // handle cgroups for containers. CgroupManager string `toml:"cgroup_manager"` + + // PidsLimit is the number of processes each container is restricted to + // by the cgroup process number controller. + PidsLimit int64 `toml:"pids_limit"` } // ImageConfig represents the "crio.image" TOML config table. @@ -261,6 +271,7 @@ func DefaultConfig() *Config { SeccompProfile: seccompProfilePath, ApparmorProfile: apparmorProfileName, CgroupManager: cgroupManager, + PidsLimit: DefaultPidsLimit, }, ImageConfig: ImageConfig{ DefaultTransport: defaultTransport, diff --git a/server/container_create.go b/server/container_create.go index ed7dd126..be0e4987 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -19,6 +19,7 @@ import ( "github.com/kubernetes-incubator/cri-o/server/apparmor" "github.com/kubernetes-incubator/cri-o/server/seccomp" "github.com/opencontainers/image-spec/specs-go/v1" + "github.com/opencontainers/runc/libcontainer/cgroups" "github.com/opencontainers/runc/libcontainer/devices" "github.com/opencontainers/runc/libcontainer/user" rspec "github.com/opencontainers/runtime-spec/specs-go" @@ -673,6 +674,12 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, } } + // Set up pids limit if pids cgroup is mounted + _, err = cgroups.FindCgroupMountpoint("pids") + if err == nil { + specgen.SetLinuxResourcesPidsLimit(s.config.PidsLimit) + } + // by default, the root path is an empty string. set it now. specgen.SetRootPath(mountPoint)