From 118cf1fc634ffc63b908d6b082ffc3a53553a6af Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sat, 14 Sep 2019 06:21:10 -0400 Subject: Setup a reasonable default for pids-limit 4096 CRI-O defaults to 1024 for the maximum pids in a container. Podman should have a similar limit. Once we have a containers.conf, we can set the limit in this file, and have it easily customizable. Currently the documentation says that -1 sets pids-limit=max, but -1 fails. This patch allows -1, but also indicates that 0 also sets the max pids limit. Signed-off-by: Daniel J Walsh --- cmd/podman/common.go | 5 +++-- cmd/podman/shared/create.go | 7 ++++++- docs/podman-create.1.md | 2 +- docs/podman-run.1.md | 2 +- pkg/spec/spec.go | 23 ++++++++++++++++++++--- pkg/sysinfo/sysinfo.go | 9 +++++++++ pkg/sysinfo/sysinfo_linux.go | 15 +++++++++++---- 7 files changed, 51 insertions(+), 12 deletions(-) diff --git a/cmd/podman/common.go b/cmd/podman/common.go index 0115e6ef1..2a3f8f3ad 100644 --- a/cmd/podman/common.go +++ b/cmd/podman/common.go @@ -11,6 +11,7 @@ import ( "github.com/containers/libpod/cmd/podman/shared" "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/pkg/rootless" + "github.com/containers/libpod/pkg/sysinfo" "github.com/fatih/camelcase" jsoniter "github.com/json-iterator/go" "github.com/pkg/errors" @@ -374,8 +375,8 @@ func getCreateFlags(c *cliconfig.PodmanCommand) { "PID namespace to use", ) createFlags.Int64( - "pids-limit", 0, - "Tune container pids limit (set -1 for unlimited)", + "pids-limit", sysinfo.GetDefaultPidsLimit(), + "Tune container pids limit (set 0 for unlimited)", ) createFlags.String( "pod", "", diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go index fc8197721..f36295054 100644 --- a/cmd/podman/shared/create.go +++ b/cmd/podman/shared/create.go @@ -686,6 +686,11 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod. logDriver = c.String("log-driver") } + pidsLimit := c.Int64("pids-limit") + if c.String("cgroups") == "disabled" && !c.Changed("pids-limit") { + pidsLimit = 0 + } + config := &cc.CreateConfig{ Annotations: annotations, BuiltinImgVolumes: ImageVolumes, @@ -764,7 +769,7 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod. MemorySwappiness: int(memorySwappiness), KernelMemory: memoryKernel, OomScoreAdj: c.Int("oom-score-adj"), - PidsLimit: c.Int64("pids-limit"), + PidsLimit: pidsLimit, Ulimit: c.StringSlice("ulimit"), }, RestartPolicy: c.String("restart"), diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md index c088f3e94..46fa4fcd4 100644 --- a/docs/podman-create.1.md +++ b/docs/podman-create.1.md @@ -552,7 +552,7 @@ Default is to create a private PID namespace for the container **--pids-limit**=*limit* -Tune the container's pids limit. Set `-1` to have unlimited pids for the container. +Tune the container's pids limit. Set `0` to have unlimited pids for the container. (default "4096" on systems that support PIDS cgroups). **--pod**=*name* diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md index d677f8262..dfc634288 100644 --- a/docs/podman-run.1.md +++ b/docs/podman-run.1.md @@ -565,7 +565,7 @@ Default is to create a private PID namespace for the container **--pids-limit**=*limit* -Tune the container's pids limit. Set `-1` to have unlimited pids for the container. +Tune the container's pids limit. Set `0` to have unlimited pids for the container. (default "4096" on systems that support PIDS cgroups). **--pod**=*name* diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index c7aa003e8..57c6e8da7 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -7,6 +7,7 @@ import ( "github.com/containers/libpod/libpod" "github.com/containers/libpod/pkg/cgroups" "github.com/containers/libpod/pkg/rootless" + "github.com/containers/libpod/pkg/sysinfo" "github.com/docker/docker/oci/caps" "github.com/docker/go-units" "github.com/opencontainers/runc/libcontainer/user" @@ -300,9 +301,25 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM blockAccessToKernelFilesystems(config, &g) // RESOURCES - PIDS - if config.Resources.PidsLimit != 0 { - g.SetLinuxResourcesPidsLimit(config.Resources.PidsLimit) - addedResources = true + if config.Resources.PidsLimit > 0 { + // if running on rootless on a cgroupv1 machine, pids limit is + // not supported. If the value is still the default + // then ignore the settings. If the caller asked for a + // non-default, then try to use it. + setPidLimit := true + if rootless.IsRootless() { + cgroup2, err := cgroups.IsCgroup2UnifiedMode() + if err != nil { + return nil, err + } + if !cgroup2 && config.Resources.PidsLimit == sysinfo.GetDefaultPidsLimit() { + setPidLimit = false + } + } + if setPidLimit { + g.SetLinuxResourcesPidsLimit(config.Resources.PidsLimit) + addedResources = true + } } for name, val := range config.Env { diff --git a/pkg/sysinfo/sysinfo.go b/pkg/sysinfo/sysinfo.go index f046de4b1..686f66ce5 100644 --- a/pkg/sysinfo/sysinfo.go +++ b/pkg/sysinfo/sysinfo.go @@ -142,3 +142,12 @@ func popcnt(x uint64) (n byte) { x *= 0x0101010101010101 return byte(x >> 56) } + +// GetDefaultPidsLimit returns the default pids limit to run containers with +func GetDefaultPidsLimit() int64 { + sysInfo := New(true) + if !sysInfo.PidsLimit { + return 0 + } + return 4096 +} diff --git a/pkg/sysinfo/sysinfo_linux.go b/pkg/sysinfo/sysinfo_linux.go index 9e675c655..76bda23c6 100644 --- a/pkg/sysinfo/sysinfo_linux.go +++ b/pkg/sysinfo/sysinfo_linux.go @@ -7,6 +7,7 @@ import ( "path" "strings" + cg "github.com/containers/libpod/pkg/cgroups" "github.com/opencontainers/runc/libcontainer/cgroups" "github.com/sirupsen/logrus" "golang.org/x/sys/unix" @@ -227,12 +228,18 @@ func checkCgroupCpusetInfo(cgMounts map[string]string, quiet bool) cgroupCpusetI // checkCgroupPids reads the pids information from the pids cgroup mount point. func checkCgroupPids(quiet bool) cgroupPids { - _, err := cgroups.FindCgroupMountpoint("", "pids") + cgroup2, err := cg.IsCgroup2UnifiedMode() if err != nil { - if !quiet { - logrus.Warn(err) + logrus.Errorf("Failed to check cgroups version: %v", err) + } + if !cgroup2 { + _, err := cgroups.FindCgroupMountpoint("", "pids") + if err != nil { + if !quiet { + logrus.Warn(err) + } + return cgroupPids{} } - return cgroupPids{} } return cgroupPids{ -- cgit v1.2.3-54-g00ecf