Setup a reasonable default for pids-limit 4096

CRI-O defaults to 1024 for the maximum pids in a container. Podman should have a similar limit. Once we have a containers.conf, we can set the limit in this file, and have it easily customizable. Currently the documentation says that -1 sets pids-limit=max, but -1 fails. This patch allows -1, but also indicates that 0 also sets the max pids limit. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2025-06-20 00:51:16 +08:00 · 2019-09-14 06:21:10 -04:00
parent bd08fc0e9b
commit 118cf1fc63
7 changed files with 51 additions and 12 deletions
--- a/cmd/podman/common.go
+++ b/cmd/podman/common.go
@ -11,6 +11,7 @@ import (
 	"github.com/containers/libpod/cmd/podman/shared"
 	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/pkg/rootless"
+	"github.com/containers/libpod/pkg/sysinfo"
 	"github.com/fatih/camelcase"
 	jsoniter "github.com/json-iterator/go"
 	"github.com/pkg/errors"
@ -374,8 +375,8 @@ func getCreateFlags(c *cliconfig.PodmanCommand) {
 		"PID namespace to use",
 	)
 	createFlags.Int64(
-		"pids-limit", 0,
-		"Tune container pids limit (set -1 for unlimited)",
+		"pids-limit", sysinfo.GetDefaultPidsLimit(),
+		"Tune container pids limit (set 0 for unlimited)",
 	)
 	createFlags.String(
 		"pod", "",
--- a/cmd/podman/shared/create.go
+++ b/cmd/podman/shared/create.go
@ -686,6 +686,11 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 		logDriver = c.String("log-driver")
 	}

+	pidsLimit := c.Int64("pids-limit")
+	if c.String("cgroups") == "disabled" && !c.Changed("pids-limit") {
+		pidsLimit = 0
+	}
+
 	config := &cc.CreateConfig{
 		Annotations:       annotations,
 		BuiltinImgVolumes: ImageVolumes,
@ -764,7 +769,7 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 			MemorySwappiness:  int(memorySwappiness),
 			KernelMemory:      memoryKernel,
 			OomScoreAdj:       c.Int("oom-score-adj"),
-			PidsLimit:         c.Int64("pids-limit"),
+			PidsLimit:         pidsLimit,
 			Ulimit:            c.StringSlice("ulimit"),
 		},
 		RestartPolicy: c.String("restart"),
--- a/docs/podman-create.1.md
+++ b/docs/podman-create.1.md
@ -552,7 +552,7 @@ Default is to create a private PID namespace for the container

 **--pids-limit**=*limit*

-Tune the container's pids limit. Set `-1` to have unlimited pids for the container.
+Tune the container's pids limit. Set `0` to have unlimited pids for the container. (default "4096" on systems that support PIDS cgroups).

 **--pod**=*name*

--- a/docs/podman-run.1.md
+++ b/docs/podman-run.1.md
@ -565,7 +565,7 @@ Default is to create a private PID namespace for the container

 **--pids-limit**=*limit*

-Tune the container's pids limit. Set `-1` to have unlimited pids for the container.
+Tune the container's pids limit. Set `0` to have unlimited pids for the container. (default "4096" on systems that support PIDS cgroups).

 **--pod**=*name*

--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@ -7,6 +7,7 @@ import (
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/pkg/cgroups"
 	"github.com/containers/libpod/pkg/rootless"
+	"github.com/containers/libpod/pkg/sysinfo"
 	"github.com/docker/docker/oci/caps"
 	"github.com/docker/go-units"
 	"github.com/opencontainers/runc/libcontainer/user"
@ -300,10 +301,26 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 	blockAccessToKernelFilesystems(config, &g)

 	// RESOURCES - PIDS
-	if config.Resources.PidsLimit != 0 {
+	if config.Resources.PidsLimit > 0 {
+		// if running on rootless on a cgroupv1 machine, pids limit is
+		// not supported.  If the value is still the default
+		// then ignore the settings.  If the caller asked for a
+		// non-default, then try to use it.
+		setPidLimit := true
+		if rootless.IsRootless() {
+			cgroup2, err := cgroups.IsCgroup2UnifiedMode()
+			if err != nil {
+				return nil, err
+			}
+			if !cgroup2 && config.Resources.PidsLimit == sysinfo.GetDefaultPidsLimit() {
+				setPidLimit = false
+			}
+		}
+		if setPidLimit {
 			g.SetLinuxResourcesPidsLimit(config.Resources.PidsLimit)
 			addedResources = true
 		}
+	}

 	for name, val := range config.Env {
 		g.AddProcessEnv(name, val)
--- a/pkg/sysinfo/sysinfo.go
+++ b/pkg/sysinfo/sysinfo.go
@ -142,3 +142,12 @@ func popcnt(x uint64) (n byte) {
 	x *= 0x0101010101010101
 	return byte(x >> 56)
 }
+
+// GetDefaultPidsLimit returns the default pids limit to run containers with
+func GetDefaultPidsLimit() int64 {
+	sysInfo := New(true)
+	if !sysInfo.PidsLimit {
+		return 0
+	}
+	return 4096
+}
--- a/pkg/sysinfo/sysinfo_linux.go
+++ b/pkg/sysinfo/sysinfo_linux.go
@ -7,6 +7,7 @@ import (
 	"path"
 	"strings"

+	cg "github.com/containers/libpod/pkg/cgroups"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
@ -227,6 +228,11 @@ func checkCgroupCpusetInfo(cgMounts map[string]string, quiet bool) cgroupCpusetI

 // checkCgroupPids reads the pids information from the pids cgroup mount point.
 func checkCgroupPids(quiet bool) cgroupPids {
+	cgroup2, err := cg.IsCgroup2UnifiedMode()
+	if err != nil {
+		logrus.Errorf("Failed to check cgroups version: %v", err)
+	}
+	if !cgroup2 {
 		_, err := cgroups.FindCgroupMountpoint("", "pids")
 		if err != nil {
 			if !quiet {
@ -234,6 +240,7 @@ func checkCgroupPids(quiet bool) cgroupPids {
 			}
 			return cgroupPids{}
 		}
+	}

 	return cgroupPids{
 		PidsLimit: true,