Skip to content

config: switch PidsLimit to *int64#48

Merged
AkihiroSuda merged 2 commits intoopencontainers:mainfrom
cyphar:pids-limit-0
Oct 28, 2025
Merged

config: switch PidsLimit to *int64#48
AkihiroSuda merged 2 commits intoopencontainers:mainfrom
cyphar:pids-limit-0

Conversation

@cyphar
Copy link
Copy Markdown
Member

@cyphar cyphar commented Oct 22, 2025

Previously we would treat a value of "0" as meaning "no-op", which lead
to quite a bit of confusion. The runtime-spec has been updated to make
the "pids.limit" value a pointer, and explicitly state that:

  • Values >= 0 should be treated as normal values; and
  • -1 indicates "max".

In practice this means we should switch PidsLimit to an *int64. Luckily,
this is actually backwards-compatible with our previous JSON -- an old
value of "0" would be omitted from the output, which will now be parsed
as "nil". The handling by our cgroup code would be identical but the
latter now correctly reflects the guidance by the runtime-spec.

Ref: opencontainers/runc#4014
Ref: opencontainers/runtime-spec#1279
Signed-off-by: Aleksa Sarai cyphar@cyphar.com

@cyphar cyphar mentioned this pull request Oct 22, 2025
Merged
@cyphar cyphar marked this pull request as draft October 23, 2025 00:55
kolyshkin
kolyshkin requested changes Oct 24, 2025
View reviewed changes
Comment thread fs/pids.go Outdated
Comment thread systemd/v1.go
Comment thread systemd/v2.go
kolyshkin
kolyshkin previously requested changes Oct 24, 2025
View reviewed changes
Comment thread systemd/v1.go
@cyphar cyphar force-pushed the pids-limit-0 branch 4 times, most recently from 6aa36c2 to 6a5011f Compare October 24, 2025 04:53
@cyphar cyphar requested a review from kolyshkin October 24, 2025 05:29
@cyphar cyphar dismissed kolyshkin’s stale review October 24, 2025 05:29

We now remap <0 to -1 and correctly handle some other annoying cases (TasksMax=0).

@cyphar
Copy link
Copy Markdown
Member Author

cyphar commented Oct 24, 2025

@kolyshkin This now passes in runc's CI, but since systemd doesn't support TasksMax=0 we need to remap 0 to 1 -- should we just do the same thing in the fs driver?

@cyphar cyphar marked this pull request as ready for review October 24, 2025 06:17
@cyphar cyphar added this to the 0.0.6 milestone Oct 24, 2025
@kolyshkin
Copy link
Copy Markdown
Contributor

kolyshkin commented Oct 24, 2025

@kolyshkin This now passes in runc's CI, but since systemd doesn't support TasksMax=0 we need to remap 0 to 1 -- should we just do the same thing in the fs driver?

I guess so, yes. Otherwise setting it to 0 will result in systemd driver writing 1 when fs driver writing 0, and after systemctl daemon-reload (or some such) systemd will write 1 again. Who knows what kernel might do in this case, so it's better not to oscillate between 1 and 0.

@cyphar
Copy link
Copy Markdown
Member Author

cyphar commented Oct 25, 2025

Okay, let's go with that then. I will add an implementors note to the runtime-spec...

cyphar added 2 commits October 26, 2025 01:42
@cyphar
config: switch PidsLimit to *int64
ae52e0c 
Previously we would treat a value of "0" as meaning "no-op", which lead
to quite a bit of confusion. The runtime-spec has been updated to make
the "pids.limit" value a pointer, and explicitly state that:

 * Values >= 0 should be treated as normal values; and
 * < 0 (usually -1) indicates "max".

In practice this means we should switch PidsLimit to an *int64. Luckily,
this is actually backwards-compatible with our previous JSON -- an old
value of "0" would be omitted from the output, which will now be parsed
as "nil". The handling by our cgroup code would be identical but the
latter now correctly reflects the guidance by the runtime-spec.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
systemd: add TasksMax test
7c34f09 
Co-developed-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
Copy link
Copy Markdown
Member Author

cyphar commented Oct 25, 2025

Done!

kolyshkin
kolyshkin approved these changes Oct 26, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@AkihiroSuda AkihiroSuda merged commit 2f41057 into opencontainers:main Oct 28, 2025
14 checks passed
@cyphar cyphar deleted the pids-limit-0 branch October 28, 2025 05:13
@Luap99 Luap99 mentioned this pull request Nov 6, 2025
Merged
@lifubang lifubang mentioned this pull request Nov 26, 2025
Merged
millonbigs-cpu

This comment was marked as spam.

Sign in to view

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kolyshkin kolyshkin kolyshkin approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@thaJeztah thaJeztah Awaiting requested review from thaJeztah

+1 more reviewer

@millonbigs-cpu millonbigs-cpu millonbigs-cpu left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

0.0.6

Development

Successfully merging this pull request may close these issues.

5 participants

@cyphar @kolyshkin @siretart @AkihiroSuda @millonbigs-cpu