containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add support for Ulimit in quadlet 

QM needs to be able to specify the maximum number of open files within the QM
environment to ensure FFI.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh 2023-09-14 06:17:43 -04:00
parent 957523e62a
commit 522e0f43f4
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
4 changed files with 32 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
docs/source/markdown/options/ulimit.md
View File

@ -4,4 +4,17 @@
####> are applicable to all of those. ####> are applicable to all of those.
#### **--ulimit**=*option* #### **--ulimit**=*option*
Ulimit options. You can use **host** to copy the current configuration from the host. Ulimit options. Sets the ulimits values inside of the container.
--ulimit with a soft and hard limit in the format <type>=<soft limit>[:<hard limit>]. For example:
$ podman run --ulimit nofile=1024:1024 --rm ubi9 ulimit -n
1024
Use **host** to copy the current configuration from the host.
Don't use nproc with the ulimit flag as Linux uses nproc to set the
maximum number of processes available to a user, not to a container.
Use the --pids-limit option to modify the cgroup control to limit the number
of processes within a container.

5
docs/source/markdown/podman-systemd.unit.5.md
View File

@ -176,6 +176,7 @@ Valid options for `[Container]` are listed below:
| Sysctl=name=value | --sysctl=name=value | | Sysctl=name=value | --sysctl=name=value |
| Timezone=local | --tz local | | Timezone=local | --tz local |
| Tmpfs=/work | --tmpfs /work | | Tmpfs=/work | --tmpfs /work |
| Ulimit=nofile:1000:10000 | --ulimit nofile:1000:10000 |
| User=bin | --user bin | | User=bin | --user bin |
| UserNS=keep-id:uid=200,gid=210 | --userns keep-id:uid=200,gid=210 | | UserNS=keep-id:uid=200,gid=210 | --userns keep-id:uid=200,gid=210 |
| VolatileTmp=true | --tmpfs /tmp | | VolatileTmp=true | --tmpfs /tmp |
@ -539,6 +540,10 @@ This key can be listed multiple times.
The timezone to run the container in. The timezone to run the container in.
### `Ulimit=`
Ulimit options. Sets the ulimits values inside of the container.
### `User=` ### `User=`
The (numeric) UID to run as inside the container. This does not need to match the UID on the host, The (numeric) UID to run as inside the container. This does not need to match the UID on the host,

7
pkg/systemd/quadlet/quadlet.go
View File

@ -118,6 +118,7 @@ const (
KeyTimezone = "Timezone" KeyTimezone = "Timezone"
KeyTmpfs = "Tmpfs" KeyTmpfs = "Tmpfs"
KeyType = "Type" KeyType = "Type"
KeyUlimit = "Ulimit"
KeyUnmask = "Unmask" KeyUnmask = "Unmask"
KeyUser = "User" KeyUser = "User"
KeyUserNS = "UserNS" KeyUserNS = "UserNS"
@ -192,6 +193,7 @@ var (
KeySysctl: true, KeySysctl: true,
KeyTimezone: true, KeyTimezone: true,
KeyTmpfs: true, KeyTmpfs: true,
KeyUlimit: true,
KeyUnmask: true, KeyUnmask: true,
KeyUser: true, KeyUser: true,
KeyUserNS: true, KeyUserNS: true,
@ -478,6 +480,11 @@ func ConvertContainer(container *parser.UnitFile, names map[string]string, isUse
podman.add("--security-opt", fmt.Sprintf("label=level:%s", securityLabelLevel)) podman.add("--security-opt", fmt.Sprintf("label=level:%s", securityLabelLevel))
} }
ulimit, ok := container.Lookup(ContainerGroup, KeyUlimit)
if ok && len(ulimit) > 0 {
podman.add("--ulimit", ulimit)
}
// But allow overrides with AddCapability // But allow overrides with AddCapability
devices := container.LookupAllStrv(ContainerGroup, KeyAddDevice) devices := container.LookupAllStrv(ContainerGroup, KeyAddDevice)
for _, device := range devices { for _, device := range devices {

6
test/e2e/quadlet/ulimit.container Normal file
View File

@ -0,0 +1,6 @@
## assert-podman-final-args localhost/imagename
## assert-podman-args "--ulimit nproc:1234:5678"
[Container]
Image=localhost/imagename
Ulimit=nproc:1234:5678