Add support for container pids limit

We add a daemon level setting and will add a container
override once it is supported in CRI.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
This commit is contained in:
Mrunal Patel 2017-07-07 14:43:35 -07:00
parent e949508b17
commit e49dd34657
4 changed files with 29 additions and 0 deletions

View file

@ -98,6 +98,9 @@ apparmor_profile = "{{ .ApparmorProfile }}"
# for the runtime. # for the runtime.
cgroup_manager = "{{ .CgroupManager }}" cgroup_manager = "{{ .CgroupManager }}"
# pids_limit is the number of processes allowed in a container
pids_limit = {{ .PidsLimit }}
# The "crio.image" table contains settings pertaining to the # The "crio.image" table contains settings pertaining to the
# management of OCI images. # management of OCI images.
[crio.image] [crio.image]

View file

@ -103,6 +103,9 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
if ctx.GlobalIsSet("cgroup-manager") { if ctx.GlobalIsSet("cgroup-manager") {
config.CgroupManager = ctx.GlobalString("cgroup-manager") config.CgroupManager = ctx.GlobalString("cgroup-manager")
} }
if ctx.GlobalIsSet("pids-limit") {
config.PidsLimit = ctx.GlobalInt64("pids-limit")
}
if ctx.GlobalIsSet("cni-config-dir") { if ctx.GlobalIsSet("cni-config-dir") {
config.NetworkDir = ctx.GlobalString("cni-config-dir") config.NetworkDir = ctx.GlobalString("cni-config-dir")
} }
@ -239,6 +242,11 @@ func main() {
Name: "cgroup-manager", Name: "cgroup-manager",
Usage: "cgroup manager (cgroupfs or systemd)", Usage: "cgroup manager (cgroupfs or systemd)",
}, },
cli.Int64Flag{
Name: "pids-limit",
Value: server.DefaultPidsLimit,
Usage: "maximum number of processes allowed in a container",
},
cli.StringFlag{ cli.StringFlag{
Name: "cni-config-dir", Name: "cni-config-dir",
Usage: "CNI configuration files directory", Usage: "CNI configuration files directory",

View file

@ -43,6 +43,12 @@ const (
ImageVolumesIgnore ImageVolumesType = "ignore" ImageVolumesIgnore ImageVolumesType = "ignore"
) )
const (
// DefaultPidsLimit is the default value for maximum number of processes
// allowed inside a container
DefaultPidsLimit = 1024
)
// This structure is necessary to fake the TOML tables when parsing, // This structure is necessary to fake the TOML tables when parsing,
// while also not requiring a bunch of layered structs for no good // while also not requiring a bunch of layered structs for no good
// reason. // reason.
@ -133,6 +139,10 @@ type RuntimeConfig struct {
// CgroupManager is the manager implementation name which is used to // CgroupManager is the manager implementation name which is used to
// handle cgroups for containers. // handle cgroups for containers.
CgroupManager string `toml:"cgroup_manager"` CgroupManager string `toml:"cgroup_manager"`
// PidsLimit is the number of processes each container is restricted to
// by the cgroup process number controller.
PidsLimit int64 `toml:"pids_limit"`
} }
// ImageConfig represents the "crio.image" TOML config table. // ImageConfig represents the "crio.image" TOML config table.
@ -261,6 +271,7 @@ func DefaultConfig() *Config {
SeccompProfile: seccompProfilePath, SeccompProfile: seccompProfilePath,
ApparmorProfile: apparmorProfileName, ApparmorProfile: apparmorProfileName,
CgroupManager: cgroupManager, CgroupManager: cgroupManager,
PidsLimit: DefaultPidsLimit,
}, },
ImageConfig: ImageConfig{ ImageConfig: ImageConfig{
DefaultTransport: defaultTransport, DefaultTransport: defaultTransport,

View file

@ -19,6 +19,7 @@ import (
"github.com/kubernetes-incubator/cri-o/server/apparmor" "github.com/kubernetes-incubator/cri-o/server/apparmor"
"github.com/kubernetes-incubator/cri-o/server/seccomp" "github.com/kubernetes-incubator/cri-o/server/seccomp"
"github.com/opencontainers/image-spec/specs-go/v1" "github.com/opencontainers/image-spec/specs-go/v1"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/devices" "github.com/opencontainers/runc/libcontainer/devices"
"github.com/opencontainers/runc/libcontainer/user" "github.com/opencontainers/runc/libcontainer/user"
rspec "github.com/opencontainers/runtime-spec/specs-go" rspec "github.com/opencontainers/runtime-spec/specs-go"
@ -673,6 +674,12 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
} }
} }
// Set up pids limit if pids cgroup is mounted
_, err = cgroups.FindCgroupMountpoint("pids")
if err == nil {
specgen.SetLinuxResourcesPidsLimit(s.config.PidsLimit)
}
// by default, the root path is an empty string. set it now. // by default, the root path is an empty string. set it now.
specgen.SetRootPath(mountPoint) specgen.SetRootPath(mountPoint)