containerd: resource-limit settings for oci default

README.md

@@ -756,12 +756,189 @@ Each of the `resource-limits` settings below contain two numeric fields: `hard-l
 Please see the [`getrlimit` linux manpage](https://man7.org/linux/man-pages/man7/capabilities.7.html) for meanings of `hard-limit` and `soft-limit`.
 
 The full list of resource limits that can be configured in Bottlerocket are:
-
-resource limit | setting | default value
------ | ----- | -----
-`RLIMIT_NOFILE` | `settings.oci-defaults.resource-limits.max-open-files.hard-limit` | 1048576
-`RLIMIT_NOFILE` | `settings.oci-defaults.resource-limits.max-open-files.soft-limit` | 65536
-
+<table>
+<tr>
+  <th>Resource limit</th>
+  <th>Setting</th>
+  <th>Default value</th>
+  <th>Unit</th>
+</tr>
+<tr>
+  <td rowspan="2"> <code>RLIMIT_AS</code> </td>
+  <td><code>settings.oci-defaults.resource-limits.max-address-space.soft-limit</code></td>
+  <td>-</td>
+  <td rowspan="2">bytes</td>
+</tr>
+<tr>
+  <td><code>settings.oci-defaults.resource-limits.max-address-space.hard-limit</code></td>
+  <td>-</td>
+</tr>
+<tr>
+  <td rowspan="2"><code>RLIMIT_CORE</code></td>
+  <td><code>settings.oci-defaults.resource-limits.max-core-file-size.soft-limit</code></td>
+  <td>-</td>
+  <td rowspan="2">bytes</td>
+</tr>
+<tr>
+  <td><code>settings.oci-defaults.resource-limits.max-core-file-size.hard-limit</code></td>
+  <td>-</td>
+</tr>
+<tr>
+  <td rowspan="2"><code>RLIMIT_CPU</code></td>
+  <td><code>settings.oci-defaults.resource-limits.max-cpu-time.soft-limit</code></td>
+  <td>-</td>
+  <td rowspan="2">seconds</td>
+</tr>
+<tr>
+  <td><code>settings.oci-defaults.resource-limits.max-cpu-time.hard-limit</code></td>
+  <td>-</td>
+</tr>
+<tr>
+  <td rowspan="2"><code>RLIMIT_DATA</code></td>
+  <td><code>settings.oci-defaults.resource-limits.max-data-size.soft-limit</code></td>
+  <td>-</td>
+  <td rowspan="2">bytes</td>
+</tr>
+<tr>
+  <td><code>settings.oci-defaults.resource-limits.max-data-size.hard-limit</code></td>
+  <td>-</td>
+</tr>
+<tr>
+  <td rowspan="2"><code>RLIMIT_LOCKS</code></td>
+  <td><code>settings.oci-defaults.resource-limits.max-file-locks.soft-limit</code></td>
+  <td>-</td>
+  <td rowspan="2">locks</td>
+</tr>
+<tr>
+  <td><code>settings.oci-defaults.resource-limits.max-file-locks.hard-limit</code></td>
+  <td>-</td>
+</tr>
+<tr>
+  <td rowspan="2"><code>RLIMIT_FSIZE</code></td>
+  <td><code>settings.oci-defaults.resource-limits.max-file-size.soft-limit</code></td>
+  <td>-</td>
+  <td rowspan="2">bytes</td>
+</tr>
+<tr>
+  <td><code>settings.oci-defaults.resource-limits.max-file-size.hard-limit</code></td>
+  <td>-</td>
+</tr>
+<tr>
+  <td rowspan="2"><code>RLIMIT_MEMLOCK</code></td>
+  <td><code>settings.oci-defaults.resource-limits.max-locked-memory.soft-limit</code></td>
+  <td>-</td>
+  <td rowspan="2">bytes</td>
+</tr>
+<tr>
+  <td><code>settings.oci-defaults.resource-limits.max-locked-memory.hard-limit</code></td>
+  <td>-</td>
+</tr>
+<tr>
+  <td rowspan="2"><code>RLIMIT_MSGQUEUE</code></td>
+  <td><code>settings.oci-defaults.resource-limits.max-msgqueue-size.soft-limit</code></td>
+  <td>-</td>
+  <td rowspan="2">bytes</td>
+</tr>
+<tr>
+  <td><code>settings.oci-defaults.resource-limits.max-msgqueue-size.hard-limit</code></td>
+  <td>-</td>
+</tr>
+<tr>
+  <td rowspan="2"><code>RLIMIT_NICE</code></td>
+  <td><code>settings.oci-defaults.resource-limits.max-nice-priority.soft-limit</code></td>
+  <td>-</td>
+  <td rowspan="2">-</td>
+</tr>
+<tr>
+  <td><code>settings.oci-defaults.resource-limits.max-nice-priority.hard-limit</code></td>
+  <td>-</td>
+</tr>
+<tr>
+  <td rowspan="2"><code>RLIMIT_NOFILE</code></td>
+  <td><code>settings.oci-defaults.resource-limits.max-open-files.soft-limit</code></td>
+  <td>65536</td>
+  <td rowspan="2">files</td>
+</tr>
+<tr>
+  <td><code>settings.oci-defaults.resource-limits.max-open-files.hard-limit</code></td>
+  <td>1048576</td>
+</tr>
+<tr>
+  <td rowspan="2"><code>RLIMIT_SIGPENDING</code></td>
+  <td><code>settings.oci-defaults.resource-limits.max-pending-signals.soft-limit</code></td>
+  <td>-</td>
+  <td rowspan="2">signals</td>
+</tr>
+<tr>
+  <td><code>settings.oci-defaults.resource-limits.max-pending-signals.hard-limit</code></td>
+  <td>-</td>
+</tr>
+<tr>
+  <td rowspan="2"><code>RLIMIT_NPROC</code></td>
+  <td><code>settings.oci-defaults.resource-limits.max-processes.soft-limit</code></td>
+  <td>-</td>
+  <td rowspan="2">processes</td>
+</tr>
+<tr>
+  <td><code>settings.oci-defaults.resource-limits.max-processes.hard-limit</code></td>
+  <td>-</td>
+</tr>
+<tr>
+  <td rowspan="2"><code>RLIMIT_RTPRIO</code></td>
+  <td><code>settings.oci-defaults.resource-limits.max-realtime-priority.soft-limit</code></td>
+  <td>-</td>
+  <td rowspan="2">-</td>
+</tr>
+<tr>
+  <td><code>settings.oci-defaults.resource-limits.max-realtime-priority.hard-limit</code></td>
+  <td>-</td>
+</tr>
+<tr>
+  <td rowspan="2"><code>RLIMIT_RTTIME</code></td>
+  <td><code>settings.oci-defaults.resource-limits.max-realtime-timeout.soft-limit</code></td>
+  <td>-</td>
+  <td rowspan="2">microseconds</td>
+</tr>
+<tr>
+  <td><code>settings.oci-defaults.resource-limits.max-realtime-timeout.hard-limit</code></td>
+  <td>-</td>
+</tr>
+<tr>
+  <td rowspan="2"><code>RLIMIT_RSS</code></td>
+  <td><code>settings.oci-defaults.resource-limits.max-resident-set.soft-limit</code></td>
+  <td>-</td>
+  <td rowspan="2">bytes</td>
+</tr>
+<tr>
+  <td><code>settings.oci-defaults.resource-limits.max-resident-set.hard-limit</code></td>
+  <td>-</td>
+</tr>
+<tr>
+  <td rowspan="2"><code>RLIMIT_STACK</code></td>
+  <td><code>settings.oci-defaults.resource-limits.max-stack-size.soft-limit</code></td>
+  <td>-</td>
+  <td rowspan="2">bytes</td>
+</tr>
+<tr>
+  <td><code>settings.oci-defaults.resource-limits.max-stack-size.hard-limit</code></td>
+  <td>-</td>
+</tr>
+</table>
+
+Limits can be any integer between 0 to `int64::MAX`. Either `-1` or `"unlimited"` can be used to remove the limit.
+* Specifying the maximum value (`i64::MAX`) for a limit:
+  ```toml
+  [settings.oci-defaults.resource-limits.<rlimit>>]
+  soft-limit = 65536
+  hard-limit = 9223372036854775807
+  ```
+* Removing a limit:
+  ```toml
+  [settings.oci-defaults.resource-limits.<rlimit>>]
+  soft-limit = 65536
+  hard-limit = "unlimited"
+  ```
+
 #### Container image registry settings
 
 The following setting is optional and allows you to configure image registry mirrors and pull-through caches for your containers.

Release.toml

@@ -221,4 +221,7 @@ version = "1.15.0"
     "migrate_v1.14.3_aws-control-container-v0-7-3.lz4",
     "migrate_v1.14.3_public-control-container-v0-7-3.lz4",
 ]
-"(1.14.3, 1.15.0)" = []
+"(1.14.3, 1.15.0)" = [
+    "migrate_v1.15.0_oci-defaults-resource-setting.lz4",
+    "migrate_v1.15.0_oci-defaults-max-open-files.lz4",
+]

sources/Cargo.toml

@@ -57,6 +57,8 @@ members = [
     "api/migration/migrations/v1.14.3/public-admin-container-v0-10-2",
     "api/migration/migrations/v1.14.3/aws-control-container-v0-7-3",
     "api/migration/migrations/v1.14.3/public-control-container-v0-7-3",
+    "api/migration/migrations/v1.15.0/oci-defaults-resource-setting",
+    "api/migration/migrations/v1.15.0/oci-defaults-max-open-files",
 
     "bloodhound",
 

sources/api/migration/migrations/v1.15.0/oci-defaults-max-open-files/Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "oci-defaults-max-open-files"
+version = "0.1.0"
+edition = "2021"
+authors = ["Shikha Vyaghra <[email protected]>"]
+license = "Apache-2.0 OR MIT"
+publish = false
+# Don't rebuild crate just because of changes to README.
+exclude = ["README.md"]
+
+[dependencies]
+migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"}
+serde_json = "1"
+
+[build-dependencies]
+bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" }

sources/api/migration/migrations/v1.15.0/oci-defaults-max-open-files/build.rs

@@ -0,0 +1,6 @@
+use bottlerocket_variant::Variant;
+
+fn main() {
+    let variant = Variant::from_env().unwrap();
+    variant.emit_cfgs();
+}

sources/api/migration/migrations/v1.15.0/oci-defaults-max-open-files/src/main.rs

@@ -0,0 +1,68 @@
+use migration_helpers::common_migrations::NoOpMigration;
+use migration_helpers::{migrate, Migration, MigrationData, Result};
+use serde_json::Value;
+use std::process;
+
+const HARD_RESOURCE_LIMIT_SETTING_NAME: &str =
+    "settings.oci-defaults.resource-limits.max-open-files.hard-limit";
+const SOFT_RESOURCE_LIMIT_SETTING_NAME: &str =
+    "settings.oci-defaults.resource-limits.max-open-files.soft-limit";
+
+/// This migration changes the hard and soft limit for rlimit_nofile to u32 from i64 on downgrade.
+/// There is no need of migration on upgrade as u32 will automatically change to i64
+pub struct ChangeMaxOpenFileResourceLimitType;
+
+fn convert_to_u32(value: &mut Value) {
+    if !value.is_i64() {
+        return;
+    }
+    let v: i64 = serde_json::from_value(value.clone()).unwrap();
+    let s = match v {
+        -1 => u32::MAX,
+        v if v > u32::MAX as i64 => u32::MAX,
+        _ => v as u32,
+    };
+
+    *value = Value::Number(s.into());
+}
+
+impl Migration for ChangeMaxOpenFileResourceLimitType {
+    /// On upgrade there is nothing to do (see above).
+    fn forward(&mut self, input: MigrationData) -> Result<MigrationData> {
+        Ok(input)
+    }
+
+    /// On downgrade, if the value is an i64 integer, we need to convert it to a u32.
+    ///
+    /// Note that this potentially causes data loss, if current value of the setting
+    /// is -1 or higher than u_32::MAX we will set it to max possible value i.e. u32::MAX.
+    fn backward(&mut self, mut input: MigrationData) -> Result<MigrationData> {
+        if let Some(v) = input.data.get_mut(HARD_RESOURCE_LIMIT_SETTING_NAME) {
+            convert_to_u32(v);
+        }
+        if let Some(v) = input.data.get_mut(SOFT_RESOURCE_LIMIT_SETTING_NAME) {
+            convert_to_u32(v);
+        }
+        Ok(input)
+    }
+}
+
+fn run() -> Result<()> {
+    if cfg!(variant_runtime = "k8s") {
+        migrate(ChangeMaxOpenFileResourceLimitType)?
+    } else {
+        migrate(NoOpMigration)?;
+    }
+
+    Ok(())
+}
+
+// Returning a Result from main makes it print a Debug representation of the error, but with Snafu
+// we have nice Display representations of the error, so we wrap "main" (run) and print any error.
+// https://github.com/shepmaster/snafu/issues/110
+fn main() {
+    if let Err(e) = run() {
+        eprintln!("{}", e);
+        process::exit(1);
+    }
+}

sources/api/migration/migrations/v1.15.0/oci-defaults-resource-setting/Cargo.toml

@@ -0,0 +1,15 @@
+[package]
+name = "oci-defaults-resource-setting"
+version = "0.1.0"
+edition = "2021"
+authors = ["Shikha Vyaghra <[email protected]>"]
+license = "Apache-2.0 OR MIT"
+publish = false
+# Don't rebuild crate just because of changes to README.
+exclude = ["README.md"]
+
+[dependencies]
+migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"}
+
+[build-dependencies]
+bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" }

sources/api/migration/migrations/v1.15.0/oci-defaults-resource-setting/build.rs

@@ -0,0 +1,6 @@
+use bottlerocket_variant::Variant;
+
+fn main() {
+    let variant = Variant::from_env().unwrap();
+    variant.emit_cfgs();
+}

sources/api/migration/migrations/v1.15.0/oci-defaults-resource-setting/src/main.rs

@@ -0,0 +1,40 @@
+use migration_helpers::common_migrations::{AddPrefixesMigration, NoOpMigration};
+use migration_helpers::{migrate, Result};
+use std::process;
+
+/// We added new resource limit settings for configuring the default OCI runtime spec.
+fn run() -> Result<()> {
+    if cfg!(variant_runtime = "k8s") {
+        migrate(AddPrefixesMigration(vec![
+            "settings.oci-defaults.resource-limits.max-address-space",
+            "settings.oci-defaults.resource-limits.max-core-file-size",
+            "settings.oci-defaults.resource-limits.max-cpu-time",
+            "settings.oci-defaults.resource-limits.max-data-size",
+            "settings.oci-defaults.resource-limits.max-file-locks",
+            "settings.oci-defaults.resource-limits.max-file-size",
+            "settings.oci-defaults.resource-limits.max-locked-memory",
+            "settings.oci-defaults.resource-limits.max-msgqueue-size",
+            "settings.oci-defaults.resource-limits.max-nice-priority",
+            "settings.oci-defaults.resource-limits.max-pending-signals",
+            "settings.oci-defaults.resource-limits.max-processes",
+            "settings.oci-defaults.resource-limits.max-realtime-priority",
+            "settings.oci-defaults.resource-limits.max-realtime-timeout",
+            "settings.oci-defaults.resource-limits.max-resident-set",
+            "settings.oci-defaults.resource-limits.max-stack-size",
+        ]))?
+    } else {
+        migrate(NoOpMigration)?;
+    }
+
+    Ok(())
+}
+
+// Returning a Result from main makes it print a Debug representation of the error, but with Snafu
+// we have nice Display representations of the error, so we wrap "main" (run) and print any error.
+// https://github.com/shepmaster/snafu/issues/110
+fn main() {
+    if let Err(e) = run() {
+        eprintln!("{}", e);
+        process::exit(1);
+    }
+}