Merge pull request #19956 from rhatdan/ulimit

Add support for Ulimit in quadlet
2023-09-14 15:24:42 +02:00 · 2023-09-14 15:24:42 +02:00 · 61b9a38bd0
parent 1e43fae5ad 522e0f43f4
commit 61b9a38bd0
4 changed files with 32 additions and 1 deletions
--- a/docs/source/markdown/options/ulimit.md
+++ b/docs/source/markdown/options/ulimit.md
@ -4,4 +4,17 @@
 ####> are applicable to all of those.
 #### **--ulimit**=*option*

-Ulimit options. You can use **host** to copy the current configuration from the host.
+Ulimit options. Sets the ulimits values inside of the container.
+
+--ulimit with a soft and hard limit in the format <type>=<soft limit>[:<hard limit>]. For example:
+
+$ podman run --ulimit nofile=1024:1024 --rm ubi9 ulimit -n
+1024
+
+Use **host** to copy the current configuration from the host.
+
+Don't use nproc with the ulimit flag as Linux uses nproc to set the
+maximum number of processes available to a user, not to a container.
+
+Use the --pids-limit option to modify the cgroup control to limit the number
+of processes within a container.
--- a/docs/source/markdown/podman-systemd.unit.5.md
+++ b/docs/source/markdown/podman-systemd.unit.5.md
@ -176,6 +176,7 @@ Valid options for `[Container]` are listed below:
 | Sysctl=name=value              | --sysctl=name=value                                  |
 | Timezone=local                 | --tz local                                           |
 | Tmpfs=/work                    | --tmpfs /work                                        |
+| Ulimit=nofile:1000:10000       | --ulimit nofile:1000:10000                           |
 | User=bin                       | --user bin                                           |
 | UserNS=keep-id:uid=200,gid=210 | --userns keep-id:uid=200,gid=210                     |
 | VolatileTmp=true               | --tmpfs /tmp                                         |
@ -539,6 +540,10 @@ This key can be listed multiple times.

 The timezone to run the container in.

+### `Ulimit=`
+
+Ulimit options. Sets the ulimits values inside of the container.
+
 ### `User=`

 The (numeric) UID to run as inside the container. This does not need to match the UID on the host,
--- a/pkg/systemd/quadlet/quadlet.go
+++ b/pkg/systemd/quadlet/quadlet.go
@ -118,6 +118,7 @@ const (
 	KeyTimezone              = "Timezone"
 	KeyTmpfs                 = "Tmpfs"
 	KeyType                  = "Type"
+	KeyUlimit                = "Ulimit"
 	KeyUnmask                = "Unmask"
 	KeyUser                  = "User"
 	KeyUserNS                = "UserNS"
@ -192,6 +193,7 @@ var (
 		KeySysctl:                true,
 		KeyTimezone:              true,
 		KeyTmpfs:                 true,
+		KeyUlimit:                true,
 		KeyUnmask:                true,
 		KeyUser:                  true,
 		KeyUserNS:                true,
@ -478,6 +480,11 @@ func ConvertContainer(container *parser.UnitFile, names map[string]string, isUse
 		podman.add("--security-opt", fmt.Sprintf("label=level:%s", securityLabelLevel))
 	}

+	ulimit, ok := container.Lookup(ContainerGroup, KeyUlimit)
+	if ok && len(ulimit) > 0 {
+		podman.add("--ulimit", ulimit)
+	}
+
 	// But allow overrides with AddCapability
 	devices := container.LookupAllStrv(ContainerGroup, KeyAddDevice)
 	for _, device := range devices {
--- a/test/e2e/quadlet/ulimit.container
+++ b/test/e2e/quadlet/ulimit.container
@ -0,0 +1,6 @@
+## assert-podman-final-args localhost/imagename
+## assert-podman-args "--ulimit nproc:1234:5678"
+
+[Container]
+Image=localhost/imagename
+Ulimit=nproc:1234:5678