podman pod create --memory

using the new resource backend, implement podman pod create --memory which enables
users to modify memory.max inside of the parent cgroup (the pod), implicitly impacting all
children unless overriden

Signed-off-by: Charlie Doern <cdoern@redhat.com>

cmd/podman/common/create.go

@@ -863,14 +863,6 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		)
 		_ = cmd.RegisterFlagCompletionFunc(cpusetMemsFlagName, completion.AutocompleteNone)
 
-		memoryFlagName := "memory"
-		createFlags.StringVarP(
-			&cf.Memory,
-			memoryFlagName, "m", "",
-			"Memory limit "+sizeWithUnitFormat,
-		)
-		_ = cmd.RegisterFlagCompletionFunc(memoryFlagName, completion.AutocompleteNone)
-
 		memoryReservationFlagName := "memory-reservation"
 		createFlags.StringVar(
 			&cf.MemoryReservation,
@@ -912,4 +904,12 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		"CPUs in which to allow execution (0-3, 0,1)",
 	)
 	_ = cmd.RegisterFlagCompletionFunc(cpusetCpusFlagName, completion.AutocompleteNone)
+
+	memoryFlagName := "memory"
+	createFlags.StringVarP(
+		&cf.Memory,
+		memoryFlagName, "m", "",
+		"Memory limit "+sizeWithUnitFormat,
+	)
+	_ = cmd.RegisterFlagCompletionFunc(memoryFlagName, completion.AutocompleteNone)
 }

docs/source/markdown/podman-pod-clone.1.md

@@ -80,6 +80,16 @@ Add metadata to a pod (e.g., --label com.example.key=value).
 
 Read in a line delimited file of labels.
 
+#### **--memory**, **-m**=*limit*
+
+Memory limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes))
+
+Constrains the memory available to a container. If the host
+supports swap memory, then the **-m** memory setting can be larger than physical
+RAM. If a limit of 0 is specified (not using **-m**), the container's memory is
+not limited. The actual limit may be rounded up to a multiple of the operating
+system's page size (the value would be very large, that's millions of trillions).
+
 #### **--name**, **-n**
 
 Set a custom name for the cloned pod. The default if not specified is of the syntax: **<ORIGINAL_NAME>-clone**

docs/source/markdown/podman-pod-create.1.md

@@ -164,6 +164,16 @@ according to RFC4862.
 
 To specify multiple static MAC addresses per pod, set multiple networks using the **--network** option with a static MAC address specified for each using the `mac` mode for that option.
 
+#### **--memory**, **-m**=*limit*
+
+Memory limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes))
+
+Constrains the memory available to a container. If the host
+supports swap memory, then the **-m** memory setting can be larger than physical
+RAM. If a limit of 0 is specified (not using **-m**), the container's memory is
+not limited. The actual limit may be rounded up to a multiple of the operating
+system's page size (the value would be very large, that's millions of trillions).
+
 
 #### **--name**=*name*, **-n**
 

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/containernetworking/cni v1.1.1
 	github.com/containernetworking/plugins v1.1.1
 	github.com/containers/buildah v1.26.1-0.20220609225314-e66309ebde8c
-	github.com/containers/common v0.48.1-0.20220628131511-a8336c1613fe
+	github.com/containers/common v0.48.1-0.20220630172158-178929cf063e
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/image/v5 v5.21.2-0.20220617075545-929f14a56f5c
 	github.com/containers/ocicrypt v1.1.5

go.sum

@@ -338,8 +338,8 @@ github.com/containernetworking/plugins v1.1.1/go.mod h1:Sr5TH/eBsGLXK/h71HeLfX19
 github.com/containers/buildah v1.26.1-0.20220609225314-e66309ebde8c h1:/fKyiLFFuceBPZGJ0Lig7ElURhfsslAOw1BOcItD+X8=
 github.com/containers/buildah v1.26.1-0.20220609225314-e66309ebde8c/go.mod h1:b0L+u2Dam7soWGn5sVTK31L++Xrf80AbGvK5z9D2+lw=
 github.com/containers/common v0.48.1-0.20220608111710-dbecabbe82c9/go.mod h1:WBLwq+i7bicCpH54V70HM6s7jqDAESTlYnd05XXp0ac=
-github.com/containers/common v0.48.1-0.20220628131511-a8336c1613fe h1:H5YI9PXhDB974IkSCUaha+AF60TunRdHaGElZroYx7M=
+github.com/containers/common v0.48.1-0.20220630172158-178929cf063e h1:Vf5tsGrLC2B2omVBP3AdDA7YlE/VoMdNyQ5yPF8GRoY=
-github.com/containers/common v0.48.1-0.20220628131511-a8336c1613fe/go.mod h1:UDe7OTpNdtJA2T80Sp7yB0yTaj79f4kMNQbTsNxsqoY=
+github.com/containers/common v0.48.1-0.20220630172158-178929cf063e/go.mod h1:Zt3D/IhgFyG1oaBrqsbn9NdH/4fkjsO2Y0ahP12ieu4=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/image/v5 v5.21.2-0.20220511203756-fe4fd4ed8be4/go.mod h1:OsX9sFexyGF0FCNAjfcVFv3IwMqDyLyV/WQY/roLPcE=
@@ -1268,7 +1268,6 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
-github.com/stretchr/testify v1.7.5/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=

libpod/define/pod_inspect.go

@@ -69,6 +69,8 @@ type InspectPodData struct {
 	VolumesFrom []string `json:"volumes_from,omitempty"`
 	// SecurityOpt contains the specified security labels and related SELinux information
 	SecurityOpts []string `json:"security_opt,omitempty"`
+	// MemoryLimit contains the specified cgroup memory limit for the pod
+	MemoryLimit uint64 `json:"memory_limit,omitempty"`
 }
 
 // InspectPodInfraConfig contains the configuration of the pod's infra

libpod/pod.go

@@ -169,6 +169,23 @@ func (p *Pod) CPUQuota() int64 {
 	return 0
 }
 
+// MemoryLimit returns the pod Memory Limit
+func (p *Pod) MemoryLimit() uint64 {
+	if p.state.InfraContainerID == "" {
+		return 0
+	}
+	infra, err := p.runtime.GetContainer(p.state.InfraContainerID)
+	if err != nil {
+		return 0
+	}
+	conf := infra.config.Spec
+	if conf != nil && conf.Linux != nil && conf.Linux.Resources != nil && conf.Linux.Resources.Memory != nil && conf.Linux.Resources.Memory.Limit != nil {
+		val := *conf.Linux.Resources.Memory.Limit
+		return uint64(val)
+	}
+	return 0
+}
+
 // NetworkMode returns the Network mode given by the user ex: pod, private...
 func (p *Pod) NetworkMode() string {
 	infra, err := p.runtime.GetContainer(p.state.InfraContainerID)

libpod/pod_api.go

@@ -751,6 +751,7 @@ func (p *Pod) Inspect() (*define.InspectPodData, error) {
 		CPUSetCPUs:         p.ResourceLim().CPU.Cpus,
 		CPUPeriod:          p.CPUPeriod(),
 		CPUQuota:           p.CPUQuota(),
+		MemoryLimit:        p.MemoryLimit(),
 		Mounts:             inspectMounts,
 		Devices:            devices,
 		BlkioDeviceReadBps: deviceLimits,

test/system/200-pod.bats

@@ -479,21 +479,25 @@ spec:
     fi
 
     local name1="resources1"
-    run_podman --cgroup-manager=systemd pod create --name=$name1 --cpus=5
+    run_podman --cgroup-manager=systemd pod create --name=$name1 --cpus=5 --memory=10m
     run_podman --cgroup-manager=systemd pod start $name1
     run_podman pod inspect --format '{{.CgroupPath}}' $name1
     local path1="$output"
     local actual1=$(< /sys/fs/cgroup/$path1/cpu.max)
     is "$actual1" "500000 100000" "resource limits set properly"
+    local actual2=$(< /sys/fs/cgroup/$path1/memory.max)
+    is "$actual2" "10485760" "resource limits set properly"
     run_podman pod --cgroup-manager=systemd rm -f $name1
 
     local name2="resources2"
-    run_podman --cgroup-manager=cgroupfs pod create --cpus=5 --name=$name2
+    run_podman --cgroup-manager=cgroupfs pod create --cpus=5 --memory=10m --name=$name2
     run_podman --cgroup-manager=cgroupfs pod start $name2
     run_podman pod inspect --format '{{.CgroupPath}}' $name2
     local path2="$output"
     local actual2=$(< /sys/fs/cgroup/$path2/cpu.max)
     is "$actual2" "500000 100000" "resource limits set properly"
+    local actual2=$(< /sys/fs/cgroup/$path2/memory.max)
+    is "$actual2" "10485760" "resource limits set properly"
     run_podman --cgroup-manager=cgroupfs pod rm $name2
 }
 

vendor/github.com/containers/common/pkg/cgroups/systemd_linux.go

@@ -152,10 +152,10 @@ func resourcesToProps(res *configs.Resources) (map[string]uint64, map[string]str
 
 	// Mem
 	if res.Memory != 0 {
-		iMap["MemoryMax"] = res.Memory
+		uMap["MemoryMax"] = uint64(res.Memory)
 	}
 	if res.MemorySwap != 0 {
-		iMap["MemorySwapMax"] = res.MemorySwap
+		uMap["MemorySwapMax"] = uint64(res.MemorySwap)
 	}
 
 	// Blkio

vendor/github.com/containers/common/pkg/seccomp/default_linux.go

@@ -221,6 +221,9 @@ func DefaultProfile() *Seccomp {
 				"ipc",
 				"keyctl",
 				"kill",
+				"landlock_add_rule",
+				"landlock_create_ruleset",
+				"landlock_restrict_self",
 				"lchown",
 				"lchown32",
 				"lgetxattr",

vendor/github.com/containers/common/pkg/seccomp/seccomp.json

@@ -228,6 +228,9 @@
 				"ipc",
 				"keyctl",
 				"kill",
+				"landlock_add_rule",
+				"landlock_create_ruleset",
+				"landlock_restrict_self",
 				"lchown",
 				"lchown32",
 				"lgetxattr",

vendor/modules.txt

@@ -111,7 +111,7 @@ github.com/containers/buildah/pkg/rusage
 github.com/containers/buildah/pkg/sshagent
 github.com/containers/buildah/pkg/util
 github.com/containers/buildah/util
-# github.com/containers/common v0.48.1-0.20220628131511-a8336c1613fe
+# github.com/containers/common v0.48.1-0.20220630172158-178929cf063e
 ## explicit
 github.com/containers/common/libimage
 github.com/containers/common/libimage/define