From 58c889bf0c0393948a3f74fe2f690d061753f6a6 Mon Sep 17 00:00:00 2001
From: Ian McEwen <mian@cyverse.org>
Date: Tue, 23 Oct 2018 10:44:31 -0700
Subject: [PATCH] Add initial higher limits and default behavior for private
 tool resource restrictions

---
 src/apps/tools/private.clj | 19 ++++++++++++++-----
 src/apps/util/config.clj   | 15 +++++++++++++++
 2 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/src/apps/tools/private.clj b/src/apps/tools/private.clj
index 7fab8448..dddabc0f 100644
--- a/src/apps/tools/private.clj
+++ b/src/apps/tools/private.clj
@@ -27,12 +27,21 @@
 
 (defn- restrict-private-tool-container
   "Restrict the networking, CPU shares, and memory limits for the tool's container."
-  [{:keys [pids_limit memory_limit] :or {pids_limit   (cfg/private-tool-pids-limit)
-                                         memory_limit (cfg/private-tool-memory-limit)}
+  [{:keys [pids_limit memory_limit max_cpu_cores] :or {pids_limit    (cfg/private-tool-pids-limit)
+                                                       memory_limit  (cfg/private-tool-memory-limit)
+                                                       max_cpu_cores (cfg/private-tool-max-cpu-cores)}
     :as container}]
   (assoc container :network_mode "none"
-                   :pids_limit   (restrict-private-tool-setting pids_limit   (cfg/private-tool-pids-limit))
-                   :memory_limit (restrict-private-tool-setting memory_limit (cfg/private-tool-memory-limit))))
+                   :max_cpu_cores (restrict-private-tool-setting max_cpu_cores (cfg/tool-max-cpu-cores))
+                   :pids_limit    (restrict-private-tool-setting pids_limit   (cfg/private-tool-pids-limit))
+                   :memory_limit  (restrict-private-tool-setting memory_limit (cfg/tool-memory-limit))))
+
+(defn- set-private-tool-defaults
+  "Set the default pid/memory/cpu restrictions for a private tool, if they're unset"
+  [{:keys [pids_limit memory_limit max_cpu_cores] :as container}]
+  (assoc container :pids_limit    (or pids_limit (cfg/private-tool-pids-limit))
+                   :memory_limit  (or memory_limit (cfg/private-tool-memory-limit))
+                   :max_cpu_cores (or max_cpu_cores (cfg/private-tool-max-cpu-cores))))
 
 (defn- restrict-private-tool-time-limit
   "Restrict the tool's time limit setting."
@@ -69,7 +78,7 @@
                       restrict-private-tool
                       (assoc :implementation (ensure-default-implementation user implementation))
                       persistence/add-tool)]
-      (containers/add-tool-container tool-id (restrict-private-tool-container container))
+      (containers/add-tool-container tool-id (restrict-private-tool-container (set-private-tool-defaults container)))
       (perms-client/register-private-tool shortUsername tool-id)
       (tools/get-tool shortUsername tool-id))))
 
diff --git a/src/apps/util/config.clj b/src/apps/util/config.clj
index 29c3d3b3..3855712d 100644
--- a/src/apps/util/config.clj
+++ b/src/apps/util/config.clj
@@ -112,6 +112,21 @@
   [props config-valid configs]
   "apps.tools.private.memory-limit" (* 16 1024 1024 1024)) ;; 16GB
 
+(cc/defprop-optlong private-tool-max-cpu-cores
+  "The number of cpu cores to use when adding new private tools"
+  [props config-valid configs]
+  "apps.tools.private.max-cpu-cores" 4.0)
+
+(cc/defprop-optint tool-memory-limit
+  "The maximum memory limit, in bytes, that a (private) tool may be created with"
+  [props config-valid configs]
+  "apps.tools.memory-limit" (* 32 1024 1024 1024)) ;; 32GB
+
+(cc/defprop-optlong tool-max-cpu-cores
+  "The maximum number of max cpu cores that a (private) tool may be created with"
+  [props config-valid configs]
+  "apps.tools.max-cpu-cores" 16.0)
+
 (cc/defprop-optstr workspace-root-app-category
   "The name of the root app category in a user's workspace."
   [props config-valid configs]