daemon: support default pids limit

Signed-off-by: Antonio Murdaca <runcom@linux.com>

Author: runcom

daemon/config_unix.go

@@ -30,6 +30,7 @@ type Config struct {
 	EnableSelinuxSupport  bool                     `json:"selinux-enabled,omitempty"`
 	RemappedRoot          string                   `json:"userns-remap,omitempty"`
 	Ulimits               map[string]*units.Ulimit `json:"default-ulimits,omitempty"`
+	PidsLimit             int64                    `json:"default-pids-limit"`
 	CPURealtimePeriod     int64                    `json:"cpu-rt-period,omitempty"`
 	CPURealtimeRuntime    int64                    `json:"cpu-rt-runtime,omitempty"`
 	OOMScoreAdjust        int                      `json:"oom-score-adjust,omitempty"`
@@ -92,6 +93,7 @@ func (config *Config) InstallFlags(flags *pflag.FlagSet) {
 	flags.StringVar(&config.InitPath, "init-path", "", "Path to the docker-init binary")
 	flags.Int64Var(&config.CPURealtimePeriod, "cpu-rt-period", 0, "Limit the CPU real-time period in microseconds")
 	flags.Int64Var(&config.CPURealtimeRuntime, "cpu-rt-runtime", 0, "Limit the CPU real-time runtime in microseconds")
+	flags.Int64Var(&config.PidsLimit, "default-pids-limit", 4096, "Limit the number of processes each container is restricted to")
 	flags.StringVar(&config.SeccompProfile, "seccomp-profile", "", "Path to seccomp profile")
 	flags.BoolVar(&config.SigCheck, "signature-verification", true, "Check image's signatures on pull")
 	flags.BoolVar(&config.EnableSecrets, "enable-secrets", true, "Enable Secrets")

daemon/daemon.go

@@ -31,6 +31,7 @@ import (
 	"github.com/docker/docker/pkg/mount"
 	"github.com/docker/docker/plugin"
 	"github.com/docker/libnetwork/cluster"
+
 	// register graph drivers
 	_ "github.com/docker/docker/daemon/graphdriver/register"
 	dmetadata "github.com/docker/docker/distribution/metadata"
@@ -695,6 +696,10 @@ func NewDaemon(config *Config, registryService registry.Service, containerdRemot
 	if runtime.GOOS == "linux" && !sysInfo.CgroupDevicesEnabled {
 		return nil, fmt.Errorf("Devices cgroup isn't mounted")
 	}
+	if d.configStore.PidsLimit != 0 && !sysInfo.PidsLimit {
+		logrus.Warn("Your kernel does not support pids limit capabilities or the cgroup is not mounted. PIDs limit discarded.")
+		d.configStore.PidsLimit = 0
+	}
 
 	d.ID = trustKey.PublicKey().KeyID()
 	d.repository = daemonRepo

daemon/oci_linux.go

@@ -66,9 +66,6 @@ func setResources(s *specs.Spec, r containertypes.Resources) error {
 			ThrottleWriteIOPSDevice: writeIOpsDevice,
 		},
 		DisableOOMKiller: r.OomKillDisable,
-		Pids: &specs.Pids{
-			Limit: &r.PidsLimit,
-		},
 	}
 
 	if s.Linux.Resources != nil && len(s.Linux.Resources.Devices) > 0 {
@@ -645,6 +642,12 @@ func (daemon *Daemon) createSpec(c *container.Container) (*specs.Spec, error) {
 	if err := setResources(&s, c.HostConfig.Resources); err != nil {
 		return nil, fmt.Errorf("linux runtime spec resources: %v", err)
 	}
+	s.Linux.Resources.Pids = &specs.Pids{
+		Limit: &daemon.configStore.PidsLimit,
+	}
+	if c.HostConfig.Resources.PidsLimit != 0 {
+		s.Linux.Resources.Pids.Limit = &c.HostConfig.Resources.PidsLimit
+	}
 	s.Linux.Resources.OOMScoreAdj = &c.HostConfig.OomScoreAdj
 	s.Linux.Sysctl = c.HostConfig.Sysctls