diff options
author | Daniel P. Berrange <berrange@redhat.com> | 2016-04-19 13:17:13 +0000 |
---|---|---|
committer | Daniel P. Berrange <berrange@redhat.com> | 2016-04-19 14:35:24 +0100 |
commit | 8af826953d1ad2cab2ecf360e0c794de70a367c3 (patch) | |
tree | 04862443ec27c16ba026f6eabbdac1944567703c /oslo_concurrency/processutils.py | |
parent | 7bc24c5d146a83dbb0e9560fe121595d15dbea32 (diff) | |
download | oslo-concurrency-8af826953d1ad2cab2ecf360e0c794de70a367c3.tar.gz |
processutils: add support for missing process limits
The original commit adding support for process limits only wired
up address space, max files and resident set size limits. This
is not sufficient to enable nova to protect qemu-img commands
against malicious images.
This commit adds support for the remaining limits supported
by python: core file size, cpu time, data size, file size,
locked memory size, max processes and stack size.
Related-bug: #1449062
Change-Id: I164c4b35e1357a0f80ed7fe00a7ae8f49df92e31
Diffstat (limited to 'oslo_concurrency/processutils.py')
-rw-r--r-- | oslo_concurrency/processutils.py | 38 |
1 files changed, 28 insertions, 10 deletions
diff --git a/oslo_concurrency/processutils.py b/oslo_concurrency/processutils.py index b74e5f2..1f46221 100644 --- a/oslo_concurrency/processutils.py +++ b/oslo_concurrency/processutils.py @@ -134,16 +134,36 @@ class ProcessLimits(object): Attributes: * address_space: Address space limit in bytes - * number_files: Maximum number of open files. + * core_file_size: Core file size limit in bytes + * cpu_time: CPU time limit in seconds + * data_size: Data size limit in bytes + * file_size: File size limit in bytes + * memory_locked: Locked memory limit in bytes + * number_files: Maximum number of open files + * number_processes: Maximum number of processes * resident_set_size: Maximum Resident Set Size (RSS) in bytes + * stack_size: Stack size limit in bytes This object can be used for the *prlimit* parameter of :func:`execute`. """ + _LIMITS = { + "address_space": "--as", + "core_file_size": "--core", + "cpu_time": "--cpu", + "data_size": "--data", + "file_size": "--fsize", + "memory_locked": "--memlock", + "number_files": "--nofile", + "number_processes": "--nproc", + "resident_set_size": "--rss", + "stack_size": "--stack", + } + def __init__(self, **kw): - self.address_space = kw.pop('address_space', None) - self.number_files = kw.pop('number_files', None) - self.resident_set_size = kw.pop('resident_set_size', None) + for limit in self._LIMITS.keys(): + setattr(self, limit, kw.pop(limit, None)) + if kw: raise ValueError("invalid limits: %s" % ', '.join(sorted(kw.keys()))) @@ -151,12 +171,10 @@ class ProcessLimits(object): def prlimit_args(self): """Create a list of arguments for the prlimit command line.""" args = [] - if self.address_space: - args.append('--as=%s' % self.address_space) - if self.number_files: - args.append('--nofile=%s' % self.number_files) - if self.resident_set_size: - args.append('--rss=%s' % self.resident_set_size) + for limit in self._LIMITS.keys(): + val = getattr(self, limit) + if val is not None: + args.append("%s=%s" % (self._LIMITS[limit], val)) return args |