From 4af39dd1c522f7852312ecbfd3678892fc656322 Mon Sep 17 00:00:00 2001 From: Fabricio Voznika Date: Fri, 24 Apr 2020 18:15:26 -0700 Subject: Propagate PID limit from OCI to sandbox cgroup Closes #2489 PiperOrigin-RevId: 308362434 --- runsc/cgroup/cgroup.go | 14 ++++++++++++-- test/root/cgroup_test.go | 6 ++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/runsc/cgroup/cgroup.go b/runsc/cgroup/cgroup.go index 653ca5f52..fa40ee509 100644 --- a/runsc/cgroup/cgroup.go +++ b/runsc/cgroup/cgroup.go @@ -45,13 +45,13 @@ var controllers = map[string]controller{ "memory": &memory{}, "net_cls": &networkClass{}, "net_prio": &networkPrio{}, + "pids": &pids{}, // These controllers either don't have anything in the OCI spec or is - // irrevalant for a sandbox, e.g. pids. + // irrelevant for a sandbox. "devices": &noop{}, "freezer": &noop{}, "perf_event": &noop{}, - "pids": &noop{}, "systemd": &noop{}, } @@ -525,3 +525,13 @@ func (*networkPrio) set(spec *specs.LinuxResources, path string) error { } return nil } + +type pids struct{} + +func (*pids) set(spec *specs.LinuxResources, path string) error { + if spec.Pids == nil { + return nil + } + val := strconv.FormatInt(spec.Pids.Limit, 10) + return setValue(path, "pids.max", val) +} diff --git a/test/root/cgroup_test.go b/test/root/cgroup_test.go index 8876d0d61..d0634b5c3 100644 --- a/test/root/cgroup_test.go +++ b/test/root/cgroup_test.go @@ -199,6 +199,12 @@ func TestCgroup(t *testing.T) { want: "750", skipIfNotFound: true, // blkio groups may not be available. }, + { + arg: "--pids-limit=1000", + ctrl: "pids", + file: "pids.max", + want: "1000", + }, } args := make([]string, 0, len(attrs)) -- cgit v1.2.3