From 9c52175641690348d078255381c3aefcc0c7efb3 Mon Sep 17 00:00:00 2001
From: Chelsea Holland Komlo <me@chelseakomlo.com>
Date: Fri, 25 May 2018 19:54:14 -0400
Subject: [PATCH 1/3] Support Docker Pids Limit

---
 client/driver/docker.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/client/driver/docker.go b/client/driver/docker.go
index c3f92036157..a0c5ed9d481 100644
--- a/client/driver/docker.go
+++ b/client/driver/docker.go
@@ -234,6 +234,7 @@ type DockerDriverConfig struct {
 	ReadonlyRootfs       bool                `mapstructure:"readonly_rootfs"`        // Mount the container’s root filesystem as read only
 	AdvertiseIPv6Address bool                `mapstructure:"advertise_ipv6_address"` // Flag to use the GlobalIPv6Address from the container as the detected IP
 	CPUHardLimit         bool                `mapstructure:"cpu_hard_limit"`         // Enforce CPU hard limit.
+	PidsLimit            int64               `mapstructure:"pids_limit"`             // Enforce Docker Pids limit
 }
 
 func sliceMergeUlimit(ulimitsRaw map[string]string) ([]docker.ULimit, error) {
@@ -736,6 +737,9 @@ func (d *DockerDriver) Validate(config map[string]interface{}) error {
 			"cpu_hard_limit": {
 				Type: fields.TypeBool,
 			},
+			"pids_limit": {
+				Type: fields.TypeInt,
+			},
 		},
 	}
 
@@ -1216,6 +1220,8 @@ func (d *DockerDriver) createContainerConfig(ctx *ExecContext, task *structs.Tas
 		Binds: binds,
 
 		VolumeDriver: driverConfig.VolumeDriver,
+
+		PidsLimit: driverConfig.PidsLimit,
 	}
 
 	// Calculate CPU Quota

From 5902ea433cca9b7b5d7289f3eac22bf846b9c41f Mon Sep 17 00:00:00 2001
From: Alex Dadgar <alex.dadgar@gmail.com>
Date: Wed, 30 May 2018 12:55:24 -0700
Subject: [PATCH 2/3] test pid limit

---
 client/driver/docker_linux_test.go | 57 ++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)

diff --git a/client/driver/docker_linux_test.go b/client/driver/docker_linux_test.go
index 4c68799ec45..2ec5a0d07e8 100644
--- a/client/driver/docker_linux_test.go
+++ b/client/driver/docker_linux_test.go
@@ -5,8 +5,11 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
+	"time"
 
+	tu "github.com/hashicorp/nomad/testutil"
 	"github.com/stretchr/testify/require"
 )
 
@@ -39,3 +42,57 @@ func TestDockerDriver_authFromHelper(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, []byte("https://registry.local:5000"), content)
 }
+
+func TestDockerDriver_PidsLimit(t *testing.T) {
+	if !tu.IsTravis() {
+		t.Parallel()
+	}
+	if !testutil.DockerIsConnected(t) {
+		t.Skip("Docker not connected")
+	}
+
+	task, _, _ := dockerTask(t)
+	task.Config["pids_limit"] = "1"
+	task.Config["command"] = "/bin/sh"
+	task.Config["args"] = []string{"-c", "sleep 2 & sleep 2"}
+
+	ctx := testDockerDriverContexts(t, task)
+	defer ctx.AllocDir.Destroy()
+	d := NewDockerDriver(ctx.DriverCtx)
+
+	// Copy the image into the task's directory
+	copyImage(t, ctx.ExecCtx.TaskDir, "busybox.tar")
+
+	_, err := d.Prestart(ctx.ExecCtx, task)
+	if err != nil {
+		t.Fatalf("error in prestart: %v", err)
+	}
+	resp, err := d.Start(ctx.ExecCtx, task)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	defer resp.Handle.Kill()
+
+	select {
+	case res := <-resp.Handle.WaitCh():
+		if res.Successful() {
+			t.Fatalf("expected error, but container exited successful")
+		}
+	case <-time.After(time.Duration(tu.TestMultiplier()*5) * time.Second):
+		t.Fatalf("timeout")
+	}
+
+	// XXX Logging doesn't work on OSX so just test on Linux
+	// Check that data was written to the directory.
+	outputFile := filepath.Join(ctx.ExecCtx.TaskDir.LogDir, "redis-demo.stderr.0")
+	act, err := ioutil.ReadFile(outputFile)
+	if err != nil {
+		t.Fatalf("Couldn't read expected output: %v", err)
+	}
+
+	exp := "can't fork"
+	if !strings.Contains(string(act), exp) {
+		t.Fatalf("Expected failed fork: %q", act)
+	}
+
+}

From ceb075bf63bc08b2c0a45511bee4af90723a9401 Mon Sep 17 00:00:00 2001
From: Alex Dadgar <alex.dadgar@gmail.com>
Date: Wed, 30 May 2018 12:58:03 -0700
Subject: [PATCH 3/3] docs

---
 website/source/docs/drivers/docker.html.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/website/source/docs/drivers/docker.html.md b/website/source/docs/drivers/docker.html.md
index f24b9b8aa2e..9528cbc7e3a 100644
--- a/website/source/docs/drivers/docker.html.md
+++ b/website/source/docs/drivers/docker.html.md
@@ -368,6 +368,9 @@ The `docker` driver supports the following configuration in the job spec.  Only
 * `readonly_rootfs` - (Optional) `true` or `false` (default). Mount
   the container's filesystem as read only.
 
+* `pids_limit` - (Optional) An integer value that specifies the pid limit for
+  the container. Defaults to unlimited.
+
 ### Container Name
 
 Nomad creates a container after pulling an image. Containers are named