diff options
| author | Lennart Poettering <lennart@poettering.net> | 2018-05-07 17:59:18 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2018-05-17 20:45:54 +0200 |
| commit | bf428efb0776d45f12ac81dc67463663f92b552f (patch) | |
| tree | d3dbc31539bde61175285ec65b2283e33b88dccf /man | |
| parent | 114c55f2d52808c8c3027d3cf4f7e3453f0a28d6 (diff) | |
| download | systemd-bf428efb0776d45f12ac81dc67463663f92b552f.tar.gz systemd-bf428efb0776d45f12ac81dc67463663f92b552f.tar.bz2 systemd-bf428efb0776d45f12ac81dc67463663f92b552f.zip | |
nspawn: add new --rlimit= switch, and always set resource limits explicitly for our container payloads
This ensures we set the various resource limits of our container
explicitly on each invocation so that we inherit less from our callers
into the payload.
By default resource limits are now set to the same values Linux
generally passes to the host PID 1, thus minimizing needless differences
between host and container environments.
The limits are now also configurable using a new --rlimit= switch. This
is preparation for teaching nspawn native OCI runtime support as OCI
permits setting resource limits for container payloads, and it hence
probably makes sense if we do too.
Diffstat (limited to 'man')
| -rw-r--r-- | man/systemd-nspawn.xml | 25 | ||||
| -rw-r--r-- | man/systemd.nspawn.xml | 24 |
2 files changed, 49 insertions, 0 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 713782b859..c6b027c58f 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -735,6 +735,31 @@ </varlistentry> <varlistentry> + <term><option>--rlimit=</option></term> + + <listitem><para>Sets the specified POSIX resource limit for the container payload. Expects an assignment of the + form + <literal><replaceable>LIMIT</replaceable>=<replaceable>SOFT</replaceable>:<replaceable>HARD</replaceable></literal> + or <literal><replaceable>LIMIT</replaceable>=<replaceable>VALUE</replaceable></literal>, where + <replaceable>LIMIT</replaceable> should refer to a resource limit type, such as + <constant>RLIMIT_NOFILE</constant> or <constant>RLIMIT_NICE</constant>. The <replaceable>SOFT</replaceable> and + <replaceable>HARD</replaceable> fields should refer to the numeric soft and hard resource limit values. If the + second form is used, <replaceable>VALUE</replaceable> may specifiy a value that is used both as soft and hard + limit. In place of a numeric value the special string <literal>infinity</literal> may be used to turn off + resource limiting for the specific type of resource. This command line option may be used multiple times to + control limits on multiple limit types. If used multiple times for the same limit type, the last last use + wins. For details about resource limits see <citerefentry + project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>. By default + resource limits for the container's init process (PID 1) are set to the same values the Linux kernel originally + passed to the host init system. Note that some resource limits are enforced on resources counted per user, in + particular <constant>RLIMIT_NPROC</constant>. This means that unless user namespacing is deployed + (i.e. <option>--private-users=</option> is used, see above), any limits set will be applied to the resource + usage of the same user on all local containers as well as the host. This means particular care needs to be + taken with these limits as they might be triggered by possibly less trusted code. Example: + <literal>--rlimit=RLIMIT_NOFILE=8192:16384</literal>.</para></listitem> + </varlistentry> + + <varlistentry> <term><option>--kill-signal=</option></term> <listitem><para>Specify the process signal to send to the container's PID 1 when nspawn itself receives diff --git a/man/systemd.nspawn.xml b/man/systemd.nspawn.xml index b5c60a33e0..6bd7b33b34 100644 --- a/man/systemd.nspawn.xml +++ b/man/systemd.nspawn.xml @@ -278,6 +278,30 @@ details.</para></listitem> </varlistentry> + <varlistentry> + <term><varname>LimitCPU=</varname></term> + <term><varname>LimitFSIZE=</varname></term> + <term><varname>LimitDATA=</varname></term> + <term><varname>LimitSTACK=</varname></term> + <term><varname>LimitCORE=</varname></term> + <term><varname>LimitRSS=</varname></term> + <term><varname>LimitNOFILE=</varname></term> + <term><varname>LimitAS=</varname></term> + <term><varname>LimitNPROC=</varname></term> + <term><varname>LimitMEMLOCK=</varname></term> + <term><varname>LimitLOCKS=</varname></term> + <term><varname>LimitSIGPENDING=</varname></term> + <term><varname>LimitMSGQUEUE=</varname></term> + <term><varname>LimitNICE=</varname></term> + <term><varname>LimitRTPRIO=</varname></term> + <term><varname>LimitRTTIME=</varname></term> + + <listitem><para>Configures various types of resource limits applied to containers. This is equivalent to the + <option>--rlimit=</option> command line switch, and takes the same arguments. See + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for + details.</para></listitem> + </varlistentry> + </variablelist> </refsect1> |