Add support for container pids limit

We add a daemon level setting and will add a container override once it is supported in CRI. Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-07-07 14:43:35 -07:00 · 2017-07-07 14:43:35 -07:00 · e49dd34657
commit e49dd34657
parent e949508b17
4 changed files with 29 additions and 0 deletions
--- a/cmd/crio/config.go
+++ b/cmd/crio/config.go
@ -98,6 +98,9 @@ apparmor_profile = "{{ .ApparmorProfile }}"
 # for the runtime.
 cgroup_manager = "{{ .CgroupManager }}"

+# pids_limit is the number of processes allowed in a container
+pids_limit = {{ .PidsLimit }}
+
 # The "crio.image" table contains settings pertaining to the
 # management of OCI images.
 [crio.image]
--- a/cmd/crio/main.go
+++ b/cmd/crio/main.go
@ -103,6 +103,9 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
 	if ctx.GlobalIsSet("cgroup-manager") {
 		config.CgroupManager = ctx.GlobalString("cgroup-manager")
 	}
+	if ctx.GlobalIsSet("pids-limit") {
+		config.PidsLimit = ctx.GlobalInt64("pids-limit")
+	}
 	if ctx.GlobalIsSet("cni-config-dir") {
 		config.NetworkDir = ctx.GlobalString("cni-config-dir")
 	}
@ -239,6 +242,11 @@ func main() {
 			Name:  "cgroup-manager",
 			Usage: "cgroup manager (cgroupfs or systemd)",
 		},
+		cli.Int64Flag{
+			Name:  "pids-limit",
+			Value: server.DefaultPidsLimit,
+			Usage: "maximum number of processes allowed in a container",
+		},
 		cli.StringFlag{
 			Name:  "cni-config-dir",
 			Usage: "CNI configuration files directory",
--- a/server/config.go
+++ b/server/config.go
@ -43,6 +43,12 @@ const (
 	ImageVolumesIgnore ImageVolumesType = "ignore"
 )

+const (
+	// DefaultPidsLimit is the default value for maximum number of processes
+	// allowed inside a container
+	DefaultPidsLimit = 1024
+)
+
 // This structure is necessary to fake the TOML tables when parsing,
 // while also not requiring a bunch of layered structs for no good
 // reason.
@ -133,6 +139,10 @@ type RuntimeConfig struct {
 	// CgroupManager is the manager implementation name which is used to
 	// handle cgroups for containers.
 	CgroupManager string `toml:"cgroup_manager"`
+
+	// PidsLimit is the number of processes each container is restricted to
+	// by the cgroup process number controller.
+	PidsLimit int64 `toml:"pids_limit"`
 }

 // ImageConfig represents the "crio.image" TOML config table.
@ -261,6 +271,7 @@ func DefaultConfig() *Config {
 			SeccompProfile:  seccompProfilePath,
 			ApparmorProfile: apparmorProfileName,
 			CgroupManager:   cgroupManager,
+			PidsLimit:       DefaultPidsLimit,
 		},
 		ImageConfig: ImageConfig{
 			DefaultTransport:    defaultTransport,
--- a/server/container_create.go
+++ b/server/container_create.go
@ -19,6 +19,7 @@ import (
 	"github.com/kubernetes-incubator/cri-o/server/apparmor"
 	"github.com/kubernetes-incubator/cri-o/server/seccomp"
 	"github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/devices"
 	"github.com/opencontainers/runc/libcontainer/user"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
@ -673,6 +674,12 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 		}
 	}

+	// Set up pids limit if pids cgroup is mounted
+	_, err = cgroups.FindCgroupMountpoint("pids")
+	if err == nil {
+		specgen.SetLinuxResourcesPidsLimit(s.config.PidsLimit)
+	}
+
 	// by default, the root path is an empty string. set it now.
 	specgen.SetRootPath(mountPoint)