Merge pull request #1227 from Ace-Tang/full_spec_params

feature: add pidslimit implement

Author: Wei Fu

cli/common_flags.go

@@ -84,6 +84,7 @@ func addCommonFlags(flagSet *pflag.FlagSet) *container {
 
 	flagSet.StringVarP(&c.workdir, "workdir", "w", "", "Set the working directory in a container")
 	flagSet.Var(&c.ulimit, "ulimit", "Set container ulimit")
+	flagSet.Int64Var(&c.pidsLimit, "pids-limit", -1, "Set container pids limit, -1 for unlimited")
 
 	flagSet.BoolVar(&c.rich, "rich", false, "Start container in rich container mode. (default false)")
 	flagSet.StringVar(&c.richMode, "rich-mode", "", "Choose one rich container mode. dumb-init(default), systemd, sbin-init")

cli/container.go

@@ -69,6 +69,7 @@ type container struct {
 	specAnnotation []string
 	cgroupParent   string
 	ulimit         Ulimit
+	pidsLimit      int64
 
 	//add for rich container mode
 	rich       bool
@@ -223,6 +224,7 @@ func (c *container) config() (*types.ContainerCreateConfig, error) {
 				IntelRdtL3Cbm: intelRdtL3Cbm,
 				CgroupParent:  c.cgroupParent,
 				Ulimits:       c.ulimit.value(),
+				PidsLimit:     c.pidsLimit,
 			},
 			EnableLxcfs:   c.enableLxcfs,
 			Privileged:    c.privileged,

daemon/mgr/spec_linux.go

@@ -140,7 +140,10 @@ func setupResource(ctx context.Context, c *Container, s *specs.Spec) error {
 		return err
 	}
 
-	//TODO: nedd support Pids, HugepageLimits, Network cgroup set
+	// start to setup pids limit
+	s.Linux.Resources.Pids = &specs.LinuxPids{
+		Limit: c.HostConfig.PidsLimit,
+	}
 
 	return nil
 }

test/cli_create_test.go

@@ -474,3 +474,18 @@ func (suite *PouchCreateSuite) TestCreateWithUlimit(c *check.C) {
 	c.Assert(int(ul.Hard), check.Equals, 21)
 	c.Assert(int(ul.Soft), check.Equals, 21)
 }
+
+// TestCreateWithPidsLimit tests running container with --pids-limit flag.
+func (suite *PouchRunSuite) TestCreateWithPidsLimit(c *check.C) {
+	cname := "TestCreateWithPidsLimit"
+	res := command.PouchRun("create", "--pids-limit", "10", "--name", cname, busyboxImage)
+	res.Assert(c, icmd.Success)
+
+	output := command.PouchRun("inspect", cname).Stdout()
+	result := []types.ContainerJSON{}
+	if err := json.Unmarshal([]byte(output), &result); err != nil {
+		c.Errorf("failed to decode inspect output: %v", err)
+	}
+	pl := result[0].HostConfig.PidsLimit
+	c.Assert(int(pl), check.Equals, 10)
+}

test/cli_run_test.go

@@ -1085,3 +1085,22 @@ func (suite *PouchRunSuite) TestRunWithUlimit(c *check.C) {
 	c.Assert(int(ul.Soft), check.Equals, 256)
 
 }
+
+// TestRunWithPidsLimit tests running container with --pids-limit flag.
+func (suite *PouchRunSuite) TestRunWithPidsLimit(c *check.C) {
+	cname := "TestRunWithPidsLimit"
+	pidfile := "/sys/fs/cgroup/pids/pids.max"
+	res := command.PouchRun("run", "--pids-limit", "10", "--name", cname, busyboxImage, "cat", pidfile)
+	res.Assert(c, icmd.Success)
+
+	out := res.Stdout()
+	c.Assert(out, check.Equals, "10\n")
+
+	output := command.PouchRun("inspect", cname).Stdout()
+	result := []types.ContainerJSON{}
+	if err := json.Unmarshal([]byte(output), &result); err != nil {
+		c.Errorf("failed to decode inspect output: %v", err)
+	}
+	pl := result[0].HostConfig.PidsLimit
+	c.Assert(int(pl), check.Equals, 10)
+}

test/cli_start_test.go

@@ -285,3 +285,14 @@ func (suite *PouchStartSuite) TestStartWithUlimit(c *check.C) {
 
 	command.PouchRun("start", name).Assert(c, icmd.Success)
 }
+
+// TestStartWithPidsLimit tests running container with --pids-limit flag.
+func (suite *PouchStartSuite) TestStartWithPidsLimit(c *check.C) {
+	name := "TestStartWithPidsLimit"
+	pidfile := "/sys/fs/cgroup/pids/pids.max"
+	res := command.PouchRun("create", "--pids-limit", "10", "--name", name, busyboxImage, "cat", pidfile)
+	res.Assert(c, icmd.Success)
+	defer DelContainerForceMultyTime(c, name)
+
+	command.PouchRun("start", name).Assert(c, icmd.Success)
+}