Skip to content

runtime-spec: update pids.limit handling to match new guidance #4949

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 11, 2025
Merged

runtime-spec: update pids.limit handling to match new guidance #4949

merged 3 commits into from
Nov 11, 2025

Conversation

@cyphar
Copy link
Member

@cyphar cyphar commented Oct 22, 2025
edited
Loading

Draft until opencontainers/cgroups#48 is merged.

The main update is actually in github.com/opencontainers/cgroups, but we
need to also update runtime-spec to a newer pre-release version to get
the updates from there as well.

In short, the behaviour change is now that "0" is treated as a valid
value to set in "pids.max", "-1" means "max" and unset/nil means "do
nothing". As described in the opencontainers/cgroups PR, this change is
actually backwards compatible because our internal state.json stores
PidsLimit, and that entry is marked as "omitempty". So, an old runc
would omit PidsLimit=0 in state.json, and this will be parsed by a new
runc as being "nil" -- and both would treat this case as "do not set
anything".

Fixes #4014
Closes #4015
Closes #4023
Signed-off-by: Aleksa Sarai [email protected]

@cyphar cyphar added this to the 1.4.0 milestone Oct 22, 2025
@cyphar cyphar marked this pull request as draft October 22, 2025 13:01
@cyphar cyphar mentioned this pull request Oct 22, 2025
Merged
@cyphar cyphar force-pushed the pids-limit-0 branch 2 times, most recently from 0cad003 to 53c6f1b Compare October 23, 2025 00:50
@cyphar
Copy link
Member Author

cyphar commented Oct 23, 2025

Given how close we are to 1.4.0, we should punt this for 1.4.1.

@cyphar cyphar modified the milestones: 1.4.0, 1.4.1 Oct 23, 2025
@cyphar cyphar mentioned this pull request Oct 24, 2025
Merged
@cyphar cyphar force-pushed the pids-limit-0 branch 5 times, most recently from ae5145b to 9cbc6a3 Compare October 24, 2025 05:31
@cyphar cyphar modified the milestones: 1.4.1, 1.4.0 Oct 24, 2025
@cyphar cyphar force-pushed the pids-limit-0 branch 3 times, most recently from cefb4e7 to cb93018 Compare October 31, 2025 11:08
@cyphar cyphar marked this pull request as ready for review October 31, 2025 11:08
@cyphar cyphar force-pushed the pids-limit-0 branch 2 times, most recently from ecd4789 to 41690a4 Compare October 31, 2025 11:18
AkihiroSuda
AkihiroSuda reviewed Nov 4, 2025
View reviewed changes
@AkihiroSuda AkihiroSuda added the backport/1.4-todo A PR in main branch which needs to backported to release-1.4 label Nov 4, 2025
@kolyshkin kolyshkin mentioned this pull request Nov 4, 2025
Closed
kolyshkin
kolyshkin reviewed Nov 4, 2025
View reviewed changes
kolyshkin
kolyshkin reviewed Nov 4, 2025
View reviewed changes
@kolyshkin kolyshkin requested a review from AkihiroSuda November 5, 2025 00:57
@kolyshkin
Copy link
Contributor

kolyshkin commented Nov 5, 2025

Lint failure is probably golangci/golangci-lint#5979. Removed the cache and re-ran the job. Opened #4961 as a potential workaround (which may or may not work).

cyphar referenced this pull request in opencontainers/cgroups Nov 5, 2025
@cyphar
config: switch PidsLimit to *int64
ae52e0c 
Previously we would treat a value of "0" as meaning "no-op", which lead
to quite a bit of confusion. The runtime-spec has been updated to make
the "pids.limit" value a pointer, and explicitly state that:

 * Values >= 0 should be treated as normal values; and
 * < 0 (usually -1) indicates "max".

In practice this means we should switch PidsLimit to an *int64. Luckily,
this is actually backwards-compatible with our previous JSON -- an old
value of "0" would be omitted from the output, which will now be parsed
as "nil". The handling by our cgroup code would be identical but the
latter now correctly reflects the guidance by the runtime-spec.

Signed-off-by: Aleksa Sarai <[email protected]>
@AkihiroSuda
Copy link
Member

AkihiroSuda commented Nov 5, 2025

Needs rebase

@cyphar cyphar mentioned this pull request Nov 7, 2025
Open
@cyphar cyphar requested a review from kolyshkin November 8, 2025 12:08
AkihiroSuda
AkihiroSuda reviewed Nov 10, 2025
View reviewed changes
AkihiroSuda
AkihiroSuda reviewed Nov 10, 2025
View reviewed changes
kolyshkin
kolyshkin approved these changes Nov 10, 2025
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cyphar
runtime-spec: update pids.limit handling to match new guidance
3b75374 
The main update is actually in github.com/opencontainers/cgroups, but we
need to also update runtime-spec to a newer pre-release version to get
the updates from there as well.

In short, the behaviour change is now that "0" is treated as a valid
value to set in "pids.max", "-1" means "max" and unset/nil means "do
nothing". As described in the opencontainers/cgroups PR, this change is
actually backwards compatible because our internal state.json stores
PidsLimit, and that entry is marked as "omitempty". So, an old runc
would omit PidsLimit=0 in state.json, and this will be parsed by a new
runc as being "nil" -- and both would treat this case as "do not set
anything".

Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
tests: add pids.limit tests
72421e0 
Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
update: switch to generics for mkPtr logic
8ab2458 
This is much easier to read and removes the need for explicit per-type
helper functions.

Signed-off-by: Aleksa Sarai <[email protected]>
@AkihiroSuda AkihiroSuda merged commit 996278a into opencontainers:main Nov 11, 2025
36 checks passed
@cyphar cyphar mentioned this pull request Nov 12, 2025
Open
@kolyshkin kolyshkin added backport/1.4-done A PR in main branch which has been backported to release-1.4 and removed backport/1.4-todo A PR in main branch which needs to backported to release-1.4 labels Nov 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kolyshkin kolyshkin kolyshkin approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

No one assigned

Labels

backport/1.4-done A PR in main branch which has been backported to release-1.4

Projects

None yet

Milestone

1.4.0

Development

Successfully merging this pull request may close these issues.

Undefined (and potentially incorrect) behavior when pids limit is set to 0

3 participants

@cyphar @kolyshkin @AkihiroSuda