From 5818bc046d142c87903adba7414f12d925975b39 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Mon, 29 Jan 2024 00:51:56 +0900
Subject: [PATCH] Add option to limit pids within a container

Because we run container side applications using the swift user, we
need a mechanism to limit number of processes launched inside storlet
containers so that user workloads do not consume all allowed pids in
host.

This introduces a new option to set pids limit in each container.

Change-Id: Idc07807ab7dba12c795d19d6405fc998e7b09893
---
 storlets/gateway/gateways/docker/runtime.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/storlets/gateway/gateways/docker/runtime.py b/storlets/gateway/gateways/docker/runtime.py
index f3fa892d..bfa6f4cc 100644
--- a/storlets/gateway/gateways/docker/runtime.py
+++ b/storlets/gateway/gateways/docker/runtime.py
@@ -257,6 +257,7 @@ class RunTimeSandbox(object):
             pass
         self.container_cpuset_cpus = conf.get('container_cpuset_cpus')
         self.container_cpuset_mems = conf.get('container_cpuset_mems')
+        self.container_pids_limit = int(conf.get('container_pids_limit', 0))
 
     def ping(self):
         """
@@ -364,6 +365,7 @@ class RunTimeSandbox(object):
                 mem_limit=self.container_mem_limit,
                 cpuset_cpus=self.container_cpuset_cpus,
                 cpuset_mems=self.container_cpuset_mems,
+                pids_limit=self.container_pids_limit,
                 labels={'managed_by': 'storlets'})
         except docker.errors.ImageNotFound:
             msg = "Image %s is not found" % docker_image_name