Add option to limit pids within a container

Because we run container side applications using the swift user, we need a mechanism to limit number of processes launched inside storlet containers so that user workloads do not consume all allowed pids in host. This introduces a new option to set pids limit in each container. Change-Id: Idc07807ab7dba12c795d19d6405fc998e7b09893
2024-01-29 00:51:56 +09:00 · 2024-01-29 00:51:56 +09:00 · 5818bc046d
parent ede1fe4b33
commit 5818bc046d
1 changed files with 2 additions and 0 deletions
--- a/storlets/gateway/gateways/docker/runtime.py
+++ b/storlets/gateway/gateways/docker/runtime.py
@ -257,6 +257,7 @@ class RunTimeSandbox(object):
            pass
        self.container_cpuset_cpus = conf.get('container_cpuset_cpus')
        self.container_cpuset_mems = conf.get('container_cpuset_mems')
+        self.container_pids_limit = int(conf.get('container_pids_limit', 0))

    def ping(self):
        """
@ -364,6 +365,7 @@ class RunTimeSandbox(object):
                mem_limit=self.container_mem_limit,
                cpuset_cpus=self.container_cpuset_cpus,
                cpuset_mems=self.container_cpuset_mems,
+                pids_limit=self.container_pids_limit,
                labels={'managed_by': 'storlets'})
        except docker.errors.ImageNotFound:
            msg = "Image %s is not found" % docker_image_name