Skip to content

Commit

Permalink
Merge pull request #4341 from hashicorp/f-docker-pids
Browse files Browse the repository at this point in the history
Support Docker Pids Limit
  • Loading branch information
dadgar authored May 31, 2018
2 parents 269ad04 + ceb075b commit 4fb3b9f
Show file tree
Hide file tree
Showing 3 changed files with 66 additions and 0 deletions.
6 changes: 6 additions & 0 deletions client/driver/docker.go
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,7 @@ type DockerDriverConfig struct {
ReadonlyRootfs bool `mapstructure:"readonly_rootfs"` // Mount the container’s root filesystem as read only
AdvertiseIPv6Address bool `mapstructure:"advertise_ipv6_address"` // Flag to use the GlobalIPv6Address from the container as the detected IP
CPUHardLimit bool `mapstructure:"cpu_hard_limit"` // Enforce CPU hard limit.
PidsLimit int64 `mapstructure:"pids_limit"` // Enforce Docker Pids limit
}

func sliceMergeUlimit(ulimitsRaw map[string]string) ([]docker.ULimit, error) {
Expand Down Expand Up @@ -736,6 +737,9 @@ func (d *DockerDriver) Validate(config map[string]interface{}) error {
"cpu_hard_limit": {
Type: fields.TypeBool,
},
"pids_limit": {
Type: fields.TypeInt,
},
},
}

Expand Down Expand Up @@ -1216,6 +1220,8 @@ func (d *DockerDriver) createContainerConfig(ctx *ExecContext, task *structs.Tas
Binds: binds,

VolumeDriver: driverConfig.VolumeDriver,

PidsLimit: driverConfig.PidsLimit,
}

// Calculate CPU Quota
Expand Down
57 changes: 57 additions & 0 deletions client/driver/docker_linux_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,11 @@ import (
"io/ioutil"
"os"
"path/filepath"
"strings"
"testing"
"time"

tu "github.com/hashicorp/nomad/testutil"
"github.com/stretchr/testify/require"
)

Expand Down Expand Up @@ -39,3 +42,57 @@ func TestDockerDriver_authFromHelper(t *testing.T) {
require.NoError(t, err)
require.Equal(t, []byte("https://registry.local:5000"), content)
}

func TestDockerDriver_PidsLimit(t *testing.T) {
if !tu.IsTravis() {
t.Parallel()
}
if !testutil.DockerIsConnected(t) {
t.Skip("Docker not connected")
}

task, _, _ := dockerTask(t)
task.Config["pids_limit"] = "1"
task.Config["command"] = "/bin/sh"
task.Config["args"] = []string{"-c", "sleep 2 & sleep 2"}

ctx := testDockerDriverContexts(t, task)
defer ctx.AllocDir.Destroy()
d := NewDockerDriver(ctx.DriverCtx)

// Copy the image into the task's directory
copyImage(t, ctx.ExecCtx.TaskDir, "busybox.tar")

_, err := d.Prestart(ctx.ExecCtx, task)
if err != nil {
t.Fatalf("error in prestart: %v", err)
}
resp, err := d.Start(ctx.ExecCtx, task)
if err != nil {
t.Fatalf("err: %v", err)
}
defer resp.Handle.Kill()

select {
case res := <-resp.Handle.WaitCh():
if res.Successful() {
t.Fatalf("expected error, but container exited successful")
}
case <-time.After(time.Duration(tu.TestMultiplier()*5) * time.Second):
t.Fatalf("timeout")
}

// XXX Logging doesn't work on OSX so just test on Linux
// Check that data was written to the directory.
outputFile := filepath.Join(ctx.ExecCtx.TaskDir.LogDir, "redis-demo.stderr.0")
act, err := ioutil.ReadFile(outputFile)
if err != nil {
t.Fatalf("Couldn't read expected output: %v", err)
}

exp := "can't fork"
if !strings.Contains(string(act), exp) {
t.Fatalf("Expected failed fork: %q", act)
}

}
3 changes: 3 additions & 0 deletions website/source/docs/drivers/docker.html.md
Original file line number Diff line number Diff line change
Expand Up @@ -368,6 +368,9 @@ The `docker` driver supports the following configuration in the job spec. Only
* `readonly_rootfs` - (Optional) `true` or `false` (default). Mount
the container's filesystem as read only.

* `pids_limit` - (Optional) An integer value that specifies the pid limit for
the container. Defaults to unlimited.

### Container Name

Nomad creates a container after pulling an image. Containers are named
Expand Down

0 comments on commit 4fb3b9f

Please sign in to comment.