From fa64c2a1517d20c08447bb2230f2903ec3baade9 Mon Sep 17 00:00:00 2001 From: Fabricio Voznika Date: Mon, 2 Jul 2018 12:50:37 -0700 Subject: Make default limits the same as with runc Closes #2 PiperOrigin-RevId: 202997196 Change-Id: I0c9f6f5a8a1abe1ae427bca5f590bdf9f82a6675 --- runsc/boot/limits.go | 41 +++++++++++++++++++++++++++++++---------- 1 file changed, 31 insertions(+), 10 deletions(-) (limited to 'runsc/boot') diff --git a/runsc/boot/limits.go b/runsc/boot/limits.go index ea72de8e9..510497eba 100644 --- a/runsc/boot/limits.go +++ b/runsc/boot/limits.go @@ -23,29 +23,50 @@ import ( // Mapping from linux resource names to limits.LimitType. var fromLinuxResource = map[string]limits.LimitType{ + "RLIMIT_AS": limits.AS, + "RLIMIT_CORE": limits.Core, "RLIMIT_CPU": limits.CPU, - "RLIMIT_FSIZE": limits.FileSize, "RLIMIT_DATA": limits.Data, - "RLIMIT_STACK": limits.Stack, - "RLIMIT_CORE": limits.Core, - "RLIMIT_RSS": limits.Rss, - "RLIMIT_NPROC": limits.ProcessCount, - "RLIMIT_NOFILE": limits.NumberOfFiles, - "RLIMIT_MEMLOCK": limits.MemoryPagesLocked, - "RLIMIT_AS": limits.AS, + "RLIMIT_FSIZE": limits.FileSize, "RLIMIT_LOCKS": limits.Locks, - "RLIMIT_SIGPENDING": limits.SignalsPending, + "RLIMIT_MEMLOCK": limits.MemoryPagesLocked, "RLIMIT_MSGQUEUE": limits.MessageQueueBytes, "RLIMIT_NICE": limits.Nice, + "RLIMIT_NOFILE": limits.NumberOfFiles, + "RLIMIT_NPROC": limits.ProcessCount, + "RLIMIT_RSS": limits.Rss, "RLIMIT_RTPRIO": limits.RealTimePriority, "RLIMIT_RTTIME": limits.Rttime, + "RLIMIT_SIGPENDING": limits.SignalsPending, + "RLIMIT_STACK": limits.Stack, } func createLimitSet(spec *specs.Spec) (*limits.LimitSet, error) { - ls, err := limits.NewLinuxDistroLimitSet() + ls, err := limits.NewLinuxLimitSet() if err != nil { return nil, err } + + // Set default limits based on what containers get by default, ex: + // $ docker run --rm debian prlimit + ls.SetUnchecked(limits.AS, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity}) + ls.SetUnchecked(limits.Core, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity}) + ls.SetUnchecked(limits.CPU, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity}) + ls.SetUnchecked(limits.Data, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity}) + ls.SetUnchecked(limits.FileSize, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity}) + ls.SetUnchecked(limits.Locks, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity}) + ls.SetUnchecked(limits.MemoryPagesLocked, limits.Limit{Cur: 65536, Max: 65536}) + ls.SetUnchecked(limits.MessageQueueBytes, limits.Limit{Cur: 819200, Max: 819200}) + ls.SetUnchecked(limits.Nice, limits.Limit{Cur: 0, Max: 0}) + ls.SetUnchecked(limits.NumberOfFiles, limits.Limit{Cur: 1048576, Max: 1048576}) + ls.SetUnchecked(limits.ProcessCount, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity}) + ls.SetUnchecked(limits.Rss, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity}) + ls.SetUnchecked(limits.RealTimePriority, limits.Limit{Cur: 0, Max: 0}) + ls.SetUnchecked(limits.Rttime, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity}) + ls.SetUnchecked(limits.SignalsPending, limits.Limit{Cur: 0, Max: 0}) + ls.SetUnchecked(limits.Stack, limits.Limit{Cur: 8388608, Max: limits.Infinity}) + + // Then apply overwrites on top of defaults. for _, rl := range spec.Process.Rlimits { lt, ok := fromLinuxResource[rl.Type] if !ok { -- cgit v1.2.3