From 4ed3273f68d3157bf0b3c77ac299ec79c6a8a0f3 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 12 Sep 2023 16:27:29 -0400 Subject: [PATCH] Add support for PidsLimit in quadlet QM needs to be able to specify the maximum number of PIDs within the QM environment to ensure FFI. Picking a total of 10,000 Pids might be a rasonable constraint on the QM. Signed-off-by: Daniel J Walsh --- docs/source/markdown/podman-systemd.unit.5.md | 6 ++++++ pkg/systemd/quadlet/quadlet.go | 19 +++++++++++++------ test/e2e/quadlet/pids-limit.container | 6 ++++++ 3 files changed, 25 insertions(+), 6 deletions(-) create mode 100644 test/e2e/quadlet/pids-limit.container diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md index 1400de2fbd..27733827e5 100644 --- a/docs/source/markdown/podman-systemd.unit.5.md +++ b/docs/source/markdown/podman-systemd.unit.5.md @@ -157,6 +157,7 @@ Valid options for `[Container]` are listed below: | NoNewPrivileges=true | --security-opt no-new-privileges | | Rootfs=/var/lib/rootfs | --rootfs /var/lib/rootfs | | Notify=true | --sdnotify container | +| PidsLimit=10000 | --pids-limit 10000 | | PodmanArgs=--add-host foobar | --add-host foobar | | PublishPort=50-59 | --publish 50-59 | | Pull=never | --pull=never | @@ -410,6 +411,11 @@ starts the child in the container. However, if the container application support `Notify` to true passes the notification details to the container allowing it to notify of startup on its own. +### `PidsLimit=` + +Tune the container's pids limit. +This is equivalent to the Podman `--pids-limit` option. + ### `PodmanArgs=` This key contains a list of arguments passed directly to the end of the `podman run` command diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go index d593bf8e24..660e42aa1b 100644 --- a/pkg/systemd/quadlet/quadlet.go +++ b/pkg/systemd/quadlet/quadlet.go @@ -91,6 +91,7 @@ const ( KeyNoNewPrivileges = "NoNewPrivileges" KeyNotify = "Notify" KeyOptions = "Options" + KeyPidsLimit = "PidsLimit" KeyPodmanArgs = "PodmanArgs" KeyPublishPort = "PublishPort" KeyPull = "Pull" @@ -163,6 +164,7 @@ var ( KeyNetwork: true, KeyNoNewPrivileges: true, KeyNotify: true, + KeyPidsLimit: true, KeyPodmanArgs: true, KeyPublishPort: true, KeyPull: true, @@ -449,18 +451,23 @@ func ConvertContainer(container *parser.UnitFile, names map[string]string, isUse podman.add("--security-opt", "label:nested") } - securityLabelType, _ := container.Lookup(ContainerGroup, KeySecurityLabelType) - if len(securityLabelType) > 0 { + pidsLimit, ok := container.Lookup(ContainerGroup, KeyPidsLimit) + if ok && len(pidsLimit) > 0 { + podman.add("--pids-limit", pidsLimit) + } + + securityLabelType, ok := container.Lookup(ContainerGroup, KeySecurityLabelType) + if ok && len(securityLabelType) > 0 { podman.add("--security-opt", fmt.Sprintf("label=type:%s", securityLabelType)) } - securityLabelFileType, _ := container.Lookup(ContainerGroup, KeySecurityLabelFileType) - if len(securityLabelFileType) > 0 { + securityLabelFileType, ok := container.Lookup(ContainerGroup, KeySecurityLabelFileType) + if ok && len(securityLabelFileType) > 0 { podman.add("--security-opt", fmt.Sprintf("label=filetype:%s", securityLabelFileType)) } - securityLabelLevel, _ := container.Lookup(ContainerGroup, KeySecurityLabelLevel) - if len(securityLabelLevel) > 0 { + securityLabelLevel, ok := container.Lookup(ContainerGroup, KeySecurityLabelLevel) + if ok && len(securityLabelLevel) > 0 { podman.add("--security-opt", fmt.Sprintf("label=level:%s", securityLabelLevel)) } diff --git a/test/e2e/quadlet/pids-limit.container b/test/e2e/quadlet/pids-limit.container new file mode 100644 index 0000000000..83a848816b --- /dev/null +++ b/test/e2e/quadlet/pids-limit.container @@ -0,0 +1,6 @@ +## assert-podman-final-args localhost/imagename +## assert-podman-args "--pids-limit" "8765432" + +[Container] +Image=localhost/imagename +PidsLimit=8765432