aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cmd/podman/common/create.go3
-rw-r--r--cmd/podman/common/create_opts.go2
-rw-r--r--cmd/podman/common/specgen.go29
-rw-r--r--cmd/podman/containers/create.go12
-rw-r--r--pkg/specgen/generate/container.go16
-rw-r--r--test/e2e/run_test.go9
6 files changed, 43 insertions, 28 deletions
diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go
index f6fbe8e10..a26bbf718 100644
--- a/cmd/podman/common/create.go
+++ b/cmd/podman/common/create.go
@@ -330,8 +330,7 @@ func GetCreateFlags(cf *ContainerCLIOpts) *pflag.FlagSet {
"pid", "",
"PID namespace to use",
)
- createFlags.Int64Var(
- &cf.PIDsLimit,
+ createFlags.Int64(
"pids-limit", containerConfig.PidsLimit(),
"Tune container pids limit (set 0 for unlimited, -1 for server defaults)",
)
diff --git a/cmd/podman/common/create_opts.go b/cmd/podman/common/create_opts.go
index eafe7f090..a544846aa 100644
--- a/cmd/podman/common/create_opts.go
+++ b/cmd/podman/common/create_opts.go
@@ -66,7 +66,7 @@ type ContainerCLIOpts struct {
OverrideArch string
OverrideOS string
PID string
- PIDsLimit int64
+ PIDsLimit *int64
Pod string
PodIDFile string
PreserveFDs uint
diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go
index 2897dbf5a..f17077484 100644
--- a/cmd/podman/common/specgen.go
+++ b/cmd/podman/common/specgen.go
@@ -7,14 +7,12 @@ import (
"strings"
"time"
- "github.com/containers/common/pkg/config"
"github.com/containers/image/v5/manifest"
"github.com/containers/libpod/v2/cmd/podman/parse"
"github.com/containers/libpod/v2/libpod/define"
ann "github.com/containers/libpod/v2/pkg/annotations"
envLib "github.com/containers/libpod/v2/pkg/env"
ns "github.com/containers/libpod/v2/pkg/namespaces"
- "github.com/containers/libpod/v2/pkg/rootless"
"github.com/containers/libpod/v2/pkg/specgen"
systemdGen "github.com/containers/libpod/v2/pkg/systemd/generate"
"github.com/containers/libpod/v2/pkg/util"
@@ -127,25 +125,6 @@ func getIOLimits(s *specgen.SpecGenerator, c *ContainerCLIOpts) (*specs.LinuxBlo
return io, nil
}
-func getPidsLimits(c *ContainerCLIOpts) *specs.LinuxPids {
- pids := &specs.LinuxPids{}
- if c.CGroupsMode == "disabled" && c.PIDsLimit != 0 {
- return nil
- }
- if c.PIDsLimit < 0 {
- if rootless.IsRootless() && containerConfig.Engine.CgroupManager != config.SystemdCgroupsManager {
- return nil
- }
- pids.Limit = containerConfig.PidsLimit()
- return pids
- }
- if c.PIDsLimit > 0 {
- pids.Limit = c.PIDsLimit
- return pids
- }
- return nil
-}
-
func getMemoryLimits(s *specgen.SpecGenerator, c *ContainerCLIOpts) (*specs.LinuxMemory, error) {
var err error
memory := &specs.LinuxMemory{}
@@ -460,7 +439,13 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
if err != nil {
return err
}
- s.ResourceLimits.Pids = getPidsLimits(c)
+ if c.PIDsLimit != nil {
+ pids := specs.LinuxPids{
+ Limit: *c.PIDsLimit,
+ }
+
+ s.ResourceLimits.Pids = &pids
+ }
s.ResourceLimits.CPU = getCPULimits(c)
if s.ResourceLimits.CPU == nil && s.ResourceLimits.Pids == nil && s.ResourceLimits.BlockIO == nil && s.ResourceLimits.Memory == nil {
s.ResourceLimits = nil
diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go
index a44c0406f..9c9edb14f 100644
--- a/cmd/podman/containers/create.go
+++ b/cmd/podman/containers/create.go
@@ -4,6 +4,7 @@ import (
"context"
"fmt"
"os"
+ "strconv"
"strings"
"github.com/containers/common/pkg/config"
@@ -195,13 +196,18 @@ func createInit(c *cobra.Command) error {
cliVals.UTS = c.Flag("uts").Value.String()
cliVals.PID = c.Flag("pid").Value.String()
cliVals.CGroupsNS = c.Flag("cgroupns").Value.String()
- if !c.Flag("pids-limit").Changed {
- cliVals.PIDsLimit = -1
- }
if c.Flag("entrypoint").Changed {
val := c.Flag("entrypoint").Value.String()
cliVals.Entrypoint = &val
}
+ if c.Flags().Changed("pids-limit") {
+ val := c.Flag("pids-limit").Value.String()
+ pidsLimit, err := strconv.ParseInt(val, 10, 32)
+ if err != nil {
+ return err
+ }
+ cliVals.PIDsLimit = &pidsLimit
+ }
if c.Flags().Changed("env") {
env, err := c.Flags().GetStringArray("env")
if err != nil {
diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go
index dee79cf67..f0d52d0c3 100644
--- a/pkg/specgen/generate/container.go
+++ b/pkg/specgen/generate/container.go
@@ -10,6 +10,7 @@ import (
envLib "github.com/containers/libpod/v2/pkg/env"
"github.com/containers/libpod/v2/pkg/signal"
"github.com/containers/libpod/v2/pkg/specgen"
+ spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
"golang.org/x/sys/unix"
)
@@ -169,6 +170,21 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat
}
}
+ // If caller did not specify Pids Limits load default
+ if s.ResourceLimits == nil || s.ResourceLimits.Pids == nil {
+ if s.CgroupsMode != "disabled" {
+ limit := rtc.PidsLimit()
+ if limit != 0 {
+ if s.ResourceLimits == nil {
+ s.ResourceLimits = &spec.LinuxResources{}
+ }
+ s.ResourceLimits.Pids = &spec.LinuxPids{
+ Limit: limit,
+ }
+ }
+ }
+ }
+
return verifyContainerResources(s)
}
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 6cbedb457..9d48f1540 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -1072,4 +1072,13 @@ USER mail`
Expect(session.OutputToString()).To(ContainSubstring(h))
})
+
+ It("podman run verify pids-limit", func() {
+ SkipIfCgroupV1()
+ limit := "4321"
+ session := podmanTest.Podman([]string{"run", "--pids-limit", limit, "--rm", ALPINE, "cat", "/sys/fs/cgroup/pids.max"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(limit))
+ })
})