diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2019-10-07 15:01:27 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-10-07 15:01:27 -0700 |
commit | c817ea1b33966c2f1f089b5c086df8cc45437065 (patch) | |
tree | eccc53908a469d5b71234bebf5957a70a8f9fd3a /pkg | |
parent | 589261f275b485d78a6ac1bd7b95578257fc020f (diff) | |
parent | 118cf1fc634ffc63b908d6b082ffc3a53553a6af (diff) | |
download | podman-c817ea1b33966c2f1f089b5c086df8cc45437065.tar.gz podman-c817ea1b33966c2f1f089b5c086df8cc45437065.tar.bz2 podman-c817ea1b33966c2f1f089b5c086df8cc45437065.zip |
Merge pull request #4032 from rhatdan/pids-limit
Setup a reasonable default for pids-limit 4096
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/spec/spec.go | 23 | ||||
-rw-r--r-- | pkg/sysinfo/sysinfo.go | 9 | ||||
-rw-r--r-- | pkg/sysinfo/sysinfo_linux.go | 15 |
3 files changed, 40 insertions, 7 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index c7aa003e8..57c6e8da7 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -7,6 +7,7 @@ import ( "github.com/containers/libpod/libpod" "github.com/containers/libpod/pkg/cgroups" "github.com/containers/libpod/pkg/rootless" + "github.com/containers/libpod/pkg/sysinfo" "github.com/docker/docker/oci/caps" "github.com/docker/go-units" "github.com/opencontainers/runc/libcontainer/user" @@ -300,9 +301,25 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM blockAccessToKernelFilesystems(config, &g) // RESOURCES - PIDS - if config.Resources.PidsLimit != 0 { - g.SetLinuxResourcesPidsLimit(config.Resources.PidsLimit) - addedResources = true + if config.Resources.PidsLimit > 0 { + // if running on rootless on a cgroupv1 machine, pids limit is + // not supported. If the value is still the default + // then ignore the settings. If the caller asked for a + // non-default, then try to use it. + setPidLimit := true + if rootless.IsRootless() { + cgroup2, err := cgroups.IsCgroup2UnifiedMode() + if err != nil { + return nil, err + } + if !cgroup2 && config.Resources.PidsLimit == sysinfo.GetDefaultPidsLimit() { + setPidLimit = false + } + } + if setPidLimit { + g.SetLinuxResourcesPidsLimit(config.Resources.PidsLimit) + addedResources = true + } } for name, val := range config.Env { diff --git a/pkg/sysinfo/sysinfo.go b/pkg/sysinfo/sysinfo.go index f046de4b1..686f66ce5 100644 --- a/pkg/sysinfo/sysinfo.go +++ b/pkg/sysinfo/sysinfo.go @@ -142,3 +142,12 @@ func popcnt(x uint64) (n byte) { x *= 0x0101010101010101 return byte(x >> 56) } + +// GetDefaultPidsLimit returns the default pids limit to run containers with +func GetDefaultPidsLimit() int64 { + sysInfo := New(true) + if !sysInfo.PidsLimit { + return 0 + } + return 4096 +} diff --git a/pkg/sysinfo/sysinfo_linux.go b/pkg/sysinfo/sysinfo_linux.go index 9e675c655..76bda23c6 100644 --- a/pkg/sysinfo/sysinfo_linux.go +++ b/pkg/sysinfo/sysinfo_linux.go @@ -7,6 +7,7 @@ import ( "path" "strings" + cg "github.com/containers/libpod/pkg/cgroups" "github.com/opencontainers/runc/libcontainer/cgroups" "github.com/sirupsen/logrus" "golang.org/x/sys/unix" @@ -227,12 +228,18 @@ func checkCgroupCpusetInfo(cgMounts map[string]string, quiet bool) cgroupCpusetI // checkCgroupPids reads the pids information from the pids cgroup mount point. func checkCgroupPids(quiet bool) cgroupPids { - _, err := cgroups.FindCgroupMountpoint("", "pids") + cgroup2, err := cg.IsCgroup2UnifiedMode() if err != nil { - if !quiet { - logrus.Warn(err) + logrus.Errorf("Failed to check cgroups version: %v", err) + } + if !cgroup2 { + _, err := cgroups.FindCgroupMountpoint("", "pids") + if err != nil { + if !quiet { + logrus.Warn(err) + } + return cgroupPids{} } - return cgroupPids{} } return cgroupPids{ |