Setup a reasonable default for pids-limit 4096

CRI-O defaults to 1024 for the maximum pids in a container.  Podman
should have a similar limit. Once we have a containers.conf, we can
set the limit in this file, and have it easily customizable.

Currently the documentation says that -1 sets pids-limit=max, but -1 fails.
This patch allows -1, but also indicates that 0 also sets the max pids limit.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

1 files changed, 20 insertions, 3 deletions

diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index c7aa003e8..57c6e8da7 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -7,6 +7,7 @@ import (
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/pkg/cgroups"
 	"github.com/containers/libpod/pkg/rootless"
+	"github.com/containers/libpod/pkg/sysinfo"
 	"github.com/docker/docker/oci/caps"
 	"github.com/docker/go-units"
 	"github.com/opencontainers/runc/libcontainer/user"
@@ -300,9 +301,25 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 	blockAccessToKernelFilesystems(config, &g)
 
 	// RESOURCES - PIDS
-	if config.Resources.PidsLimit != 0 {
-		g.SetLinuxResourcesPidsLimit(config.Resources.PidsLimit)
-		addedResources = true
+	if config.Resources.PidsLimit > 0 {
+		// if running on rootless on a cgroupv1 machine, pids limit is
+		// not supported.  If the value is still the default
+		// then ignore the settings.  If the caller asked for a
+		// non-default, then try to use it.
+		setPidLimit := true
+		if rootless.IsRootless() {
+			cgroup2, err := cgroups.IsCgroup2UnifiedMode()
+			if err != nil {
+				return nil, err
+			}
+			if !cgroup2 && config.Resources.PidsLimit == sysinfo.GetDefaultPidsLimit() {
+				setPidLimit = false
+			}
+		}
+		if setPidLimit {
+			g.SetLinuxResourcesPidsLimit(config.Resources.PidsLimit)
+			addedResources = true
+		}
 	}
 
 	for name, val := range config.Env {