github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-20 09:39:08 +00:00
Code Issues Projects Releases Wiki Activity

Add Cgroup resource limits into Yaml spec

Browse Source 
This adds all the cgroup restrictions into the spec.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This commit is contained in:
Justin Cormack 2017-08-09 16:39:10 +01:00
parent c2b081ed8a
commit 13a1ffdd44
4 changed files with 156 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/yaml.md
View File

@ -172,9 +172,9 @@ bind mounted into a container.
- `noNewPrivileges` is `true` means no additional capabilities can be acquired and `suid` binaries do not work. - `noNewPrivileges` is `true` means no additional capabilities can be acquired and `suid` binaries do not work.
- `hostname` sets the hostname inside the image. - `hostname` sets the hostname inside the image.
- `oomScoreAdj` changes the OOM score. - `oomScoreAdj` changes the OOM score.
- `disableOOMKiller` disables the OOM killer for the service.
- `rootfsPropagation` sets the rootfs propagation, eg `shared`, `slave` or (default) `private`. - `rootfsPropagation` sets the rootfs propagation, eg `shared`, `slave` or (default) `private`.
- `cgroupsPath` sets the path for cgroups. - `cgroupsPath` sets the path for cgroups.
- `resources` sets cgroup resource limits as per the OCI spec.
- `sysctl` sets a list of `sysctl` key value pairs that are set inside the container namespace. - `sysctl` sets a list of `sysctl` key value pairs that are set inside the container namespace.
- `rmlimits` sets a list of `rlimit` values in the form `name,soft,hard`, eg `nofile,100,200`. You can use `unlimited` as a value too. - `rmlimits` sets a list of `rlimit` values in the form `name,soft,hard`, eg `nofile,100,200`. You can use `unlimited` as a value too.

33
src/moby/config.go
View File

@ -81,9 +81,9 @@ type Image struct {
AdditionalGids *[]interface{} `yaml:"additionalGids" json:"additionalGids,omitempty"` AdditionalGids *[]interface{} `yaml:"additionalGids" json:"additionalGids,omitempty"`
NoNewPrivileges *bool `yaml:"noNewPrivileges" json:"noNewPrivileges,omitempty"` NoNewPrivileges *bool `yaml:"noNewPrivileges" json:"noNewPrivileges,omitempty"`
OOMScoreAdj *int `yaml:"oomScoreAdj" json:"oomScoreAdj,omitempty"` OOMScoreAdj *int `yaml:"oomScoreAdj" json:"oomScoreAdj,omitempty"`
DisableOOMKiller *bool `yaml:"disableOOMKiller" json:"disableOOMKiller,omitempty"`
RootfsPropagation *string `yaml:"rootfsPropagation" json:"rootfsPropagation,omitempty"` RootfsPropagation *string `yaml:"rootfsPropagation" json:"rootfsPropagation,omitempty"`
CgroupsPath *string `yaml:"cgroupsPath" json:"cgroupsPath,omitempty"` CgroupsPath *string `yaml:"cgroupsPath" json:"cgroupsPath,omitempty"`
Resources *specs.LinuxResources `yaml:"resources" json:"resources,omitempty"`
Sysctl *map[string]string `yaml:"sysctl" json:"sysctl,omitempty"` Sysctl *map[string]string `yaml:"sysctl" json:"sysctl,omitempty"`
Rlimits *[]string `yaml:"rlimits" json:"rlimits,omitempty"` Rlimits *[]string `yaml:"rlimits" json:"rlimits,omitempty"`
UIDMappings *[]specs.LinuxIDMapping `yaml:"uidMappings" json:"uidMappings,omitempty"` UIDMappings *[]specs.LinuxIDMapping `yaml:"uidMappings" json:"uidMappings,omitempty"`
@ -460,6 +460,17 @@ func assignMappings(v1, v2 *[]specs.LinuxIDMapping) []specs.LinuxIDMapping {
return []specs.LinuxIDMapping{} return []specs.LinuxIDMapping{}
} }
// assignResources does ordered overrides from Resources
func assignResources(v1, v2 *specs.LinuxResources) specs.LinuxResources {
if v2 != nil {
return *v2
}
if v1 != nil {
return *v1
}
return specs.LinuxResources{}
}
// assignStringEmpty does ordered overrides if strings are empty, for // assignStringEmpty does ordered overrides if strings are empty, for
// values where there is always an explicit override eg "none" // values where there is always an explicit override eg "none"
func assignStringEmpty(v1, v2 string) string { func assignStringEmpty(v1, v2 string) string {
@ -883,27 +894,13 @@ func ConfigInspectToOCI(yaml Image, inspect types.ImageInspect, idMap map[string
oci.Hostname = assignStringEmpty(label.Hostname, yaml.Hostname) oci.Hostname = assignStringEmpty(label.Hostname, yaml.Hostname)
oci.Mounts = mountList oci.Mounts = mountList
resources := assignResources(label.Resources, yaml.Resources)
oci.Linux = &specs.Linux{ oci.Linux = &specs.Linux{
UIDMappings: assignMappings(label.UIDMappings, yaml.UIDMappings), UIDMappings: assignMappings(label.UIDMappings, yaml.UIDMappings),
GIDMappings: assignMappings(label.GIDMappings, yaml.GIDMappings), GIDMappings: assignMappings(label.GIDMappings, yaml.GIDMappings),
Sysctl: assignMaps(label.Sysctl, yaml.Sysctl), Sysctl: assignMaps(label.Sysctl, yaml.Sysctl),
Resources: &specs.LinuxResources{ Resources: &resources,
// Devices
Memory: &specs.LinuxMemory{
// Limit
// Reservation
// Swap
// Kernel
// KernelTCP
// Swappiness
DisableOOMKiller: assignBoolPtr(label.DisableOOMKiller, yaml.DisableOOMKiller),
},
// CPU
// Pids
// BlockIO
// HugepageLimits
// Network
},
CgroupsPath: assignString(label.CgroupsPath, yaml.CgroupsPath), CgroupsPath: assignString(label.CgroupsPath, yaml.CgroupsPath),
Namespaces: namespaces, Namespaces: namespaces,
// Devices // Devices

135
src/moby/schema.go
View File

@ -75,6 +75,139 @@ var schema = string(`
"type": "array", "type": "array",
"items": { "$ref": "#/definitions/idmapping" } "items": { "$ref": "#/definitions/idmapping" }
}, },
"devicecgroups": {
"type": "array",
"items": { "$ref": "#/definitions/devicecgroup" }
},
"devicecgroup": {
"type": "object",
"additionalProperties": false,
"properties": {
"allow": {"type": "boolean"},
"type": {"type": "string"},
"major": {"type": "integer"},
"minor": {"type": "integer"},
"access": {"type": "string"}
}
},
"memory": {
"type": "object",
"additionalProperties": false,
"properties": {
"limit": {"type": "integer"},
"reservation": {"type": "integer"},
"swap": {"type": "integer"},
"kernel": {"type": "integer"},
"kernelTCP": {"type": "integer"},
"swappiness": {"type": "integer"},
"disableOOMKiller": {"type": "boolean"}
}
},
"cpu": {
"type": "object",
"additionalProperties": false,
"properties": {
"shares": {"type": "integer"},
"quota": {"type": "integer"},
"period": {"type": "integer"},
"realtimeRuntime": {"type": "integer"},
"realtimePeriod": {"type": "integer"},
"cpus": {"type": "string"},
"mems": {"type": "string"}
}
},
"pids": {
"type": "object",
"additionalProperties": false,
"properties": {
"limit": {"type": "integer"}
}
},
"weightdevices": {
"type": "array",
"items": {"$ref": "#/definitions/weightdevice"}
},
"weightdevice": {
"type": "object",
"additionalProperties": false,
"properties": {
"major": {"type": "integer"},
"minor": {"type": "integer"},
"weight": {"type": "integer"},
"leafWeight": {"type": "integer"}
}
},
"throttledevices": {
"type": "array",
"items": {"$ref": "#/definitions/throttledevice"}
},
"throttledevice": {
"type": "object",
"additionalProperties": false,
"properties": {
"major": {"type": "integer"},
"minor": {"type": "integer"},
"rate": {"type": "integer"}
}
},
"blockio": {
"type": "object",
"additionalProperties": false,
"properties": {
"weight": {"type": "integer"},
"leafWeight": {"type": "integer"},
"weightDevice": {"$ref": "#/definitions/weightdevices"},
"throttleReadBpsDevice": {"$ref": "#/definitions/throttledevices"},
"throttleWriteBpsDevice": {"$ref": "#/definitions/throttledevices"},
"throttleReadIOPSDevice": {"$ref": "#/definitions/throttledevices"},
"throttleWriteIOPSDevice": {"$ref": "#/definitions/throttledevices"}
}
},
"hugepagelimits": {
"type": "array",
"items": {"$ref": "#/definitions/hugepagelimit"}
},
"hugepagelimit": {
"type": "object",
"additionalProperties": false,
"properties": {
"pageSize": {"type": "integer"},
"limit": {"type": "integer"}
}
},
"interfacepriorities": {
"type": "array",
"items": {"$ref": "#/definitions/interfacepriority"}
},
"interfacepriority": {
"type": "object",
"additionalProperties": false,
"properties": {
"name": {"type": "string"},
"priority": {"type": "integer"}
}
},
"network": {
"type": "object",
"additionalProperties": false,
"properties": {
"classID": {"type": "integer"},
"priorities": {"$ref": "#/definitions/interfacepriorities"}
}
},
"resources": {
"type": "object",
"additionalProperties": false,
"properties": {
"devices": {"$ref": "#/definitions/devicecgroups"},
"memory": {"$ref": "#/definitions/memory"},
"cpu": {"$ref": "#/definitions/cpu"},
"pids": {"$ref": "#/definitions/pids"},
"blockio": {"$ref": "#/definitions/blockio"},
"hugepageLimits": {"$ref": "#/definitions/hugepagelimits"},
"network": {"$ref": "#/definitions/network"}
}
},
"image": { "image": {
"type": "object", "type": "object",
"additionalProperties": false, "additionalProperties": false,
@ -107,9 +240,9 @@ var schema = string(`
"noNewPrivileges": {"type": "boolean"}, "noNewPrivileges": {"type": "boolean"},
"hostname": {"type": "string"}, "hostname": {"type": "string"},
"oomScoreAdj": {"type": "integer"}, "oomScoreAdj": {"type": "integer"},
"disableOOMKiller": {"type": "boolean"},
"rootfsPropagation": {"type": "string"}, "rootfsPropagation": {"type": "string"},
"cgroupsPath": {"type": "string"}, "cgroupsPath": {"type": "string"},
"resources": {"$ref": "#/definitions/resources"},
"sysctl": { "sysctl": {
"type": "array", "type": "array",
"items": { "$ref": "#/definitions/strings" } "items": { "$ref": "#/definitions/strings" }

6
test/test.yml
View File

@ -30,6 +30,12 @@ services:
- CAP_SETGID - CAP_SETGID
- CAP_DAC_OVERRIDE - CAP_DAC_OVERRIDE
net: host net: host
resources:
devices:
- allow: true
access: rwm
pids:
limit: 10
files: files:
- path: etc/docker/daemon.json - path: etc/docker/daemon.json
contents: '{"debug": true}' contents: '{"debug": true}'