Propagate PID limit from OCI to sandbox cgroup

Closes #2489 PiperOrigin-RevId: 308362434
author: Fabricio Voznika <fvoznika@google.com> 2020-04-24 18:15:26 -0700
committer: gVisor bot <gvisor-bot@google.com> 2020-04-24 18:17:01 -0700
commit: 4af39dd1c522f7852312ecbfd3678892fc656322 (patch)
tree: af7b8696587367c2f628fd63000f1ae9ead2d603 /runsc
parent: 10725475c3d3b130b5ea516da6fcbb0b6119a6ac (diff)
1 files changed, 12 insertions, 2 deletions
diff --git a/runsc/cgroup/cgroup.go b/runsc/cgroup/cgroup.go
index 653ca5f52..fa40ee509 100644
--- a/runsc/cgroup/cgroup.go
+++ b/runsc/cgroup/cgroup.go
@@ -45,13 +45,13 @@ var controllers = map[string]controller{
 	"memory":   &memory{},
 	"net_cls":  &networkClass{},
 	"net_prio": &networkPrio{},
+	"pids":     &pids{},
 
 	// These controllers either don't have anything in the OCI spec or is
-	// irrevalant for a sandbox, e.g. pids.
+	// irrelevant for a sandbox.
 	"devices":    &noop{},
 	"freezer":    &noop{},
 	"perf_event": &noop{},
-	"pids":       &noop{},
 	"systemd":    &noop{},
 }
 
@@ -525,3 +525,13 @@ func (*networkPrio) set(spec *specs.LinuxResources, path string) error {
 	}
 	return nil
 }
+
+type pids struct{}
+
+func (*pids) set(spec *specs.LinuxResources, path string) error {
+	if spec.Pids == nil {
+		return nil
+	}
+	val := strconv.FormatInt(spec.Pids.Limit, 10)
+	return setValue(path, "pids.max", val)
+}
author	Fabricio Voznika <fvoznika@google.com>	2020-04-24 18:15:26 -0700
committer	gVisor bot <gvisor-bot@google.com>	2020-04-24 18:17:01 -0700
commit	4af39dd1c522f7852312ecbfd3678892fc656322 (patch)
tree	af7b8696587367c2f628fd63000f1ae9ead2d603 /runsc
parent	10725475c3d3b130b5ea516da6fcbb0b6119a6ac (diff)