From 7fc11df86759168964d1a3a0a9f808ce9e68b8c5 Mon Sep 17 00:00:00 2001
From: Ace-Tang <aceapril@126.com>
Date: Fri, 11 May 2018 16:25:32 +0800
Subject: [PATCH] feature: add pidslimit implement

Signed-off-by: Ace-Tang <aceapril@126.com>
---
 cli/common_flags.go      |  1 +
 cli/container.go         |  2 ++
 daemon/mgr/spec_linux.go |  5 ++++-
 test/cli_create_test.go  | 15 +++++++++++++++
 test/cli_run_test.go     | 19 +++++++++++++++++++
 test/cli_start_test.go   | 11 +++++++++++
 6 files changed, 52 insertions(+), 1 deletion(-)

diff --git a/cli/common_flags.go b/cli/common_flags.go
index 23e0ac749..09a9a5f76 100644
--- a/cli/common_flags.go
+++ b/cli/common_flags.go
@@ -84,6 +84,7 @@ func addCommonFlags(flagSet *pflag.FlagSet) *container {
 
 	flagSet.StringVarP(&c.workdir, "workdir", "w", "", "Set the working directory in a container")
 	flagSet.Var(&c.ulimit, "ulimit", "Set container ulimit")
+	flagSet.Int64Var(&c.pidsLimit, "pids-limit", -1, "Set container pids limit, -1 for unlimited")
 
 	flagSet.BoolVar(&c.rich, "rich", false, "Start container in rich container mode. (default false)")
 	flagSet.StringVar(&c.richMode, "rich-mode", "", "Choose one rich container mode. dumb-init(default), systemd, sbin-init")
diff --git a/cli/container.go b/cli/container.go
index bbec790c8..ff3743a6d 100644
--- a/cli/container.go
+++ b/cli/container.go
@@ -69,6 +69,7 @@ type container struct {
 	specAnnotation []string
 	cgroupParent   string
 	ulimit         Ulimit
+	pidsLimit      int64
 
 	//add for rich container mode
 	rich       bool
@@ -223,6 +224,7 @@ func (c *container) config() (*types.ContainerCreateConfig, error) {
 				IntelRdtL3Cbm: intelRdtL3Cbm,
 				CgroupParent:  c.cgroupParent,
 				Ulimits:       c.ulimit.value(),
+				PidsLimit:     c.pidsLimit,
 			},
 			EnableLxcfs:   c.enableLxcfs,
 			Privileged:    c.privileged,
diff --git a/daemon/mgr/spec_linux.go b/daemon/mgr/spec_linux.go
index 56dd7329d..999c786b0 100644
--- a/daemon/mgr/spec_linux.go
+++ b/daemon/mgr/spec_linux.go
@@ -140,7 +140,10 @@ func setupResource(ctx context.Context, c *Container, s *specs.Spec) error {
 		return err
 	}
 
-	//TODO: nedd support Pids, HugepageLimits, Network cgroup set
+	// start to setup pids limit
+	s.Linux.Resources.Pids = &specs.LinuxPids{
+		Limit: c.HostConfig.PidsLimit,
+	}
 
 	return nil
 }
diff --git a/test/cli_create_test.go b/test/cli_create_test.go
index 82e8408f2..cb5b80b1e 100644
--- a/test/cli_create_test.go
+++ b/test/cli_create_test.go
@@ -474,3 +474,18 @@ func (suite *PouchCreateSuite) TestCreateWithUlimit(c *check.C) {
 	c.Assert(int(ul.Hard), check.Equals, 21)
 	c.Assert(int(ul.Soft), check.Equals, 21)
 }
+
+// TestCreateWithPidsLimit tests running container with --pids-limit flag.
+func (suite *PouchRunSuite) TestCreateWithPidsLimit(c *check.C) {
+	cname := "TestCreateWithPidsLimit"
+	res := command.PouchRun("create", "--pids-limit", "10", "--name", cname, busyboxImage)
+	res.Assert(c, icmd.Success)
+
+	output := command.PouchRun("inspect", cname).Stdout()
+	result := []types.ContainerJSON{}
+	if err := json.Unmarshal([]byte(output), &result); err != nil {
+		c.Errorf("failed to decode inspect output: %v", err)
+	}
+	pl := result[0].HostConfig.PidsLimit
+	c.Assert(int(pl), check.Equals, 10)
+}
diff --git a/test/cli_run_test.go b/test/cli_run_test.go
index 52bab8d41..9c7cd7e9b 100644
--- a/test/cli_run_test.go
+++ b/test/cli_run_test.go
@@ -1085,3 +1085,22 @@ func (suite *PouchRunSuite) TestRunWithUlimit(c *check.C) {
 	c.Assert(int(ul.Soft), check.Equals, 256)
 
 }
+
+// TestRunWithPidsLimit tests running container with --pids-limit flag.
+func (suite *PouchRunSuite) TestRunWithPidsLimit(c *check.C) {
+	cname := "TestRunWithPidsLimit"
+	pidfile := "/sys/fs/cgroup/pids/pids.max"
+	res := command.PouchRun("run", "--pids-limit", "10", "--name", cname, busyboxImage, "cat", pidfile)
+	res.Assert(c, icmd.Success)
+
+	out := res.Stdout()
+	c.Assert(out, check.Equals, "10\n")
+
+	output := command.PouchRun("inspect", cname).Stdout()
+	result := []types.ContainerJSON{}
+	if err := json.Unmarshal([]byte(output), &result); err != nil {
+		c.Errorf("failed to decode inspect output: %v", err)
+	}
+	pl := result[0].HostConfig.PidsLimit
+	c.Assert(int(pl), check.Equals, 10)
+}
diff --git a/test/cli_start_test.go b/test/cli_start_test.go
index ed06c9e6b..17fa51a63 100644
--- a/test/cli_start_test.go
+++ b/test/cli_start_test.go
@@ -285,3 +285,14 @@ func (suite *PouchStartSuite) TestStartWithUlimit(c *check.C) {
 
 	command.PouchRun("start", name).Assert(c, icmd.Success)
 }
+
+// TestStartWithPidsLimit tests running container with --pids-limit flag.
+func (suite *PouchStartSuite) TestStartWithPidsLimit(c *check.C) {
+	name := "TestStartWithPidsLimit"
+	pidfile := "/sys/fs/cgroup/pids/pids.max"
+	res := command.PouchRun("create", "--pids-limit", "10", "--name", name, busyboxImage, "cat", pidfile)
+	res.Assert(c, icmd.Success)
+	defer DelContainerForceMultyTime(c, name)
+
+	command.PouchRun("start", name).Assert(c, icmd.Success)
+}