containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix default handling of pids-limit 

Add test to verify that updates without a pids-limit specified no longer
overwrite the previous value.

Also fixes erroneous warning generated by remote clients:

"Resource limits are not supported and ignored on cgroups V1 rootless
systems"

Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
This commit is contained in:
Jason T. Greene 2023-01-27 21:02:56 -06:00
parent 986a3a61a8
commit 553e53d441
5 changed files with 54 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/podman/common/create.go
View File

@ -893,8 +893,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
_ = cmd.RegisterFlagCompletionFunc(deviceWriteIopsFlagName, completion.AutocompleteDefault) _ = cmd.RegisterFlagCompletionFunc(deviceWriteIopsFlagName, completion.AutocompleteDefault)
pidsLimitFlagName := "pids-limit" pidsLimitFlagName := "pids-limit"
createFlags.Int64Var( createFlags.Int64(
cf.PIDsLimit,
pidsLimitFlagName, pidsLimit(), pidsLimitFlagName, pidsLimit(),
"Tune container pids limit (set -1 for unlimited)", "Tune container pids limit (set -1 for unlimited)",
) )

1
cmd/podman/common/create_opts.go
View File

@ -92,5 +92,4 @@ func DefineCreateDefaults(opts *entities.ContainerCreateOptions) {
opts.Ulimit = ulimits() opts.Ulimit = ulimits()
opts.SeccompPolicy = "default" opts.SeccompPolicy = "default"
opts.Volume = volumes() opts.Volume = volumes()
opts.PIDsLimit = &podmanConfig.ContainersConf.Containers.PidsLimit
} }

32
cmd/podman/containers/create.go
View File

@ -196,6 +196,23 @@ func replaceContainer(name string) error {
return removeContainers([]string{name}, rmOptions, false) return removeContainers([]string{name}, rmOptions, false)
} }
func createOrUpdateFlags(cmd *cobra.Command, vals *entities.ContainerCreateOptions) error {
if cmd.Flags().Changed("pids-limit") {
val := cmd.Flag("pids-limit").Value.String()
// Convert -1 to 0, so that -1 maps to unlimited pids limit
if val == "-1" {
val = "0"
}
pidsLimit, err := strconv.ParseInt(val, 10, 32)
if err != nil {
return err
}
vals.PIDsLimit = &pidsLimit
}
return nil
}
func CreateInit(c *cobra.Command, vals entities.ContainerCreateOptions, isInfra bool) (entities.ContainerCreateOptions, error) { func CreateInit(c *cobra.Command, vals entities.ContainerCreateOptions, isInfra bool) (entities.ContainerCreateOptions, error) {
if len(vals.UIDMap) > 0 || len(vals.GIDMap) > 0 || vals.SubUIDName != "" || vals.SubGIDName != "" { if len(vals.UIDMap) > 0 || len(vals.GIDMap) > 0 || vals.SubUIDName != "" || vals.SubGIDName != "" {
if c.Flag("userns").Changed { if c.Flag("userns").Changed {
@ -255,18 +272,11 @@ func CreateInit(c *cobra.Command, vals entities.ContainerCreateOptions, isInfra
} }
vals.OOMScoreAdj = &val vals.OOMScoreAdj = &val
} }
if c.Flags().Changed("pids-limit") {
val := c.Flag("pids-limit").Value.String() if err := createOrUpdateFlags(c, &vals); err != nil {
// Convert -1 to 0, so that -1 maps to unlimited pids limit return vals, err
if val == "-1" {
val = "0"
}
pidsLimit, err := strconv.ParseInt(val, 10, 32)
if err != nil {
return vals, err
}
vals.PIDsLimit = &pidsLimit
} }
if c.Flags().Changed("env") { if c.Flags().Changed("env") {
env, err := c.Flags().GetStringArray("env") env, err := c.Flags().GetStringArray("env")
if err != nil { if err != nil {

5
cmd/podman/containers/update.go
View File

@ -65,6 +65,11 @@ func update(cmd *cobra.Command, args []string) error {
s := &specgen.SpecGenerator{} s := &specgen.SpecGenerator{}
s.ResourceLimits = &specs.LinuxResources{} s.ResourceLimits = &specs.LinuxResources{}
err = createOrUpdateFlags(cmd, &updateOpts)
if err != nil {
return err
}
// we need to pass the whole specgen since throttle devices are parsed later due to cross compat. // we need to pass the whole specgen since throttle devices are parsed later due to cross compat.
s.ResourceLimits, err = specgenutil.GetResources(s, &updateOpts) s.ResourceLimits, err = specgenutil.GetResources(s, &updateOpts)
if err != nil { if err != nil {

27
test/e2e/update_test.go
View File

@ -98,6 +98,33 @@ var _ = Describe("Podman update", func() {
}) })
It("podman update container unspecified pid limit", func() {
SkipIfCgroupV1("testing flags that only work in cgroup v2")
SkipIfRootless("many of these handlers are not enabled while rootless in CI")
session := podmanTest.Podman([]string{"run", "-dt", "--pids-limit", "-1", ALPINE})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
ctrID := session.OutputToString()
commonArgs := []string{
"update",
"--cpus", "5",
ctrID}
session = podmanTest.Podman(commonArgs)
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
ctrID = session.OutputToString()
// checking pids-limit was not changed after update when not specified as an option
session = podmanTest.Podman([]string{"exec", "-it", ctrID, "cat", "/sys/fs/cgroup/pids.max"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
Expect(session.OutputToString()).Should(ContainSubstring("max"))
})
It("podman update container all options v2", func() { It("podman update container all options v2", func() {
SkipIfCgroupV1("testing flags that only work in cgroup v2") SkipIfCgroupV1("testing flags that only work in cgroup v2")
SkipIfRootless("many of these handlers are not enabled while rootless in CI") SkipIfRootless("many of these handlers are not enabled while rootless in CI")