Merge pull request #271 from Mashimiao/generate-add-rlimits-options

Generate add rlimits options

cmd/oci-runtime-tool/generate.go

@@ -65,6 +65,9 @@ var generateFlags = []cli.Flag{
 	cli.StringFlag{Name: "rootfs-path", Value: "rootfs", Usage: "path to the root filesystem"},
 	cli.StringFlag{Name: "rootfs-propagation", Usage: "mount propagation for rootfs"},
 	cli.BoolFlag{Name: "rootfs-readonly", Usage: "make the container's rootfs readonly"},
+	cli.StringSliceFlag{Name: "rlimits-add", Usage: "specifies resource limits for processes inside the container. "},
+	cli.StringSliceFlag{Name: "rlimits-remove", Usage: "remove specified resource limits for processes inside the container. "},
+	cli.BoolFlag{Name: "rlimits-remove-all", Usage: "remove all resource limits for processes inside the container. "},
 	cli.StringFlag{Name: "seccomp-allow", Usage: "specifies syscalls to respond with allow"},
 	cli.StringFlag{Name: "seccomp-arch", Usage: "specifies additional architectures permitted to be used for system calls"},
 	cli.StringFlag{Name: "seccomp-default", Usage: "specifies default action to be used for system calls and removes existing rules with specified action"},
@@ -445,6 +448,31 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		}
 	}
 
+	if context.IsSet("rlimits-add") {
+		rlimits := context.StringSlice("rlimits-add")
+		for _, rlimit := range rlimits {
+			rType, rHard, rSoft, err := parseRlimit(rlimit)
+			if err != nil {
+				return err
+			}
+			g.AddProcessRlimits(rType, rHard, rSoft)
+		}
+	}
+
+	if context.IsSet("rlimits-remove") {
+		rlimits := context.StringSlice("rlimits-remove")
+		for _, rlimit := range rlimits {
+			err := g.RemoveProcessRlimits(rlimit)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	if context.IsSet("rlimits-remove-all") {
+		g.ClearProcessRlimits()
+	}
+
 	err := addSeccomp(context, g)
 	return err
 }
@@ -548,6 +576,25 @@ func parseBindMount(s string) (string, string, []string, error) {
 	return source, dest, options, nil
 }
 
+func parseRlimit(rlimit string) (string, uint64, uint64, error) {
+	parts := strings.Split(rlimit, ":")
+	if len(parts) != 3 {
+		return "", 0, 0, fmt.Errorf("invalid rlimits value: %s", rlimit)
+	}
+
+	hard, err := strconv.Atoi(parts[1])
+	if err != nil {
+		return "", 0, 0, err
+	}
+
+	soft, err := strconv.Atoi(parts[2])
+	if err != nil {
+		return "", 0, 0, err
+	}
+
+	return parts[0], uint64(hard), uint64(soft), nil
+}
+
 func addSeccomp(context *cli.Context, g *generate.Generator) error {
 
 	// Set the DefaultAction of seccomp

completions/bash/oci-runtime-tool

@@ -303,6 +303,9 @@ _oci-runtime-tool_generate() {
 	      --readonly-paths
 	      --rootfs-path
 	      --rootfs-propagation
+	      --rlimits-add
+	      --rlimits-remove
+	      --rlimits-remove-all
 	      --seccomp-allow
 	      --seccomp-arch
 	      --seccomp-default

generate/generate.go

@@ -337,6 +337,47 @@ func (g *Generator) AddProcessEnv(env string) {
 	g.spec.Process.Env = append(g.spec.Process.Env, env)
 }
 
+// AddProcessRlimits adds rlimit into g.spec.Process.Rlimits.
+func (g *Generator) AddProcessRlimits(rType string, rHard uint64, rSoft uint64) {
+	g.initSpec()
+	for i, rlimit := range g.spec.Process.Rlimits {
+		if rlimit.Type == rType {
+			g.spec.Process.Rlimits[i].Hard = rHard
+			g.spec.Process.Rlimits[i].Soft = rSoft
+			return
+		}
+	}
+
+	newRlimit := rspec.Rlimit{
+		Type: rType,
+		Hard: rHard,
+		Soft: rSoft,
+	}
+	g.spec.Process.Rlimits = append(g.spec.Process.Rlimits, newRlimit)
+}
+
+// RemoveProcessRlimits removes a rlimit from g.spec.Process.Rlimits.
+func (g *Generator) RemoveProcessRlimits(rType string) error {
+	if g.spec == nil {
+		return nil
+	}
+	for i, rlimit := range g.spec.Process.Rlimits {
+		if rlimit.Type == rType {
+			g.spec.Process.Rlimits = append(g.spec.Process.Rlimits[:i], g.spec.Process.Rlimits[i+1:]...)
+			return nil
+		}
+	}
+	return nil
+}
+
+// ClearProcessRlimits clear g.spec.Process.Rlimits.
+func (g *Generator) ClearProcessRlimits() {
+	if g.spec == nil {
+		return
+	}
+	g.spec.Process.Rlimits = []rspec.Rlimit{}
+}
+
 // ClearProcessAdditionalGids clear g.spec.Process.AdditionalGids.
 func (g *Generator) ClearProcessAdditionalGids() {
 	if g.spec == nil {

man/oci-runtime-tool-generate.1.md

@@ -237,6 +237,17 @@ read the configuration from `config.json`.
 
   By default a container will have its root filesystem writable allowing processes to write files anywhere.  By specifying the `--rootfs-readonly` flag the container will have its root filesystem mounted as read only prohibiting any writes.
 
+**--rlimits-add**=[]
+  Specifies resource limits, format is RLIMIT:HARD:SOFT. e.g. --rlimits-add=RLIMIT_NOFILE:1024:1024
+  This option can be specified multiple times. When same RLIMIT specified over once, the last one make sense.
+
+**--rlimits-remove**=[]
+  Remove the specified resource limits for process inside the container.
+  This option can be specified multiple times.
+
+**--rlimits-remove-all**=true|false
+  Remove all resource limits for process inside the container. The default is *false*.
+
 **--seccomp-allow**=SYSCALL
   Specifies syscalls to be added to the ALLOW list.
   See --seccomp-syscalls for setting limits on arguments.