summaryrefslogtreecommitdiff
path: root/oslo_concurrency/processutils.py
diff options
context:
space:
mode:
authorDaniel P. Berrange <berrange@redhat.com>2016-04-19 13:17:13 +0000
committerDaniel P. Berrange <berrange@redhat.com>2016-04-19 14:35:24 +0100
commit8af826953d1ad2cab2ecf360e0c794de70a367c3 (patch)
tree04862443ec27c16ba026f6eabbdac1944567703c /oslo_concurrency/processutils.py
parent7bc24c5d146a83dbb0e9560fe121595d15dbea32 (diff)
downloadoslo-concurrency-8af826953d1ad2cab2ecf360e0c794de70a367c3.tar.gz
processutils: add support for missing process limits
The original commit adding support for process limits only wired up address space, max files and resident set size limits. This is not sufficient to enable nova to protect qemu-img commands against malicious images. This commit adds support for the remaining limits supported by python: core file size, cpu time, data size, file size, locked memory size, max processes and stack size. Related-bug: #1449062 Change-Id: I164c4b35e1357a0f80ed7fe00a7ae8f49df92e31
Diffstat (limited to 'oslo_concurrency/processutils.py')
-rw-r--r--oslo_concurrency/processutils.py38
1 files changed, 28 insertions, 10 deletions
diff --git a/oslo_concurrency/processutils.py b/oslo_concurrency/processutils.py
index b74e5f2..1f46221 100644
--- a/oslo_concurrency/processutils.py
+++ b/oslo_concurrency/processutils.py
@@ -134,16 +134,36 @@ class ProcessLimits(object):
Attributes:
* address_space: Address space limit in bytes
- * number_files: Maximum number of open files.
+ * core_file_size: Core file size limit in bytes
+ * cpu_time: CPU time limit in seconds
+ * data_size: Data size limit in bytes
+ * file_size: File size limit in bytes
+ * memory_locked: Locked memory limit in bytes
+ * number_files: Maximum number of open files
+ * number_processes: Maximum number of processes
* resident_set_size: Maximum Resident Set Size (RSS) in bytes
+ * stack_size: Stack size limit in bytes
This object can be used for the *prlimit* parameter of :func:`execute`.
"""
+ _LIMITS = {
+ "address_space": "--as",
+ "core_file_size": "--core",
+ "cpu_time": "--cpu",
+ "data_size": "--data",
+ "file_size": "--fsize",
+ "memory_locked": "--memlock",
+ "number_files": "--nofile",
+ "number_processes": "--nproc",
+ "resident_set_size": "--rss",
+ "stack_size": "--stack",
+ }
+
def __init__(self, **kw):
- self.address_space = kw.pop('address_space', None)
- self.number_files = kw.pop('number_files', None)
- self.resident_set_size = kw.pop('resident_set_size', None)
+ for limit in self._LIMITS.keys():
+ setattr(self, limit, kw.pop(limit, None))
+
if kw:
raise ValueError("invalid limits: %s"
% ', '.join(sorted(kw.keys())))
@@ -151,12 +171,10 @@ class ProcessLimits(object):
def prlimit_args(self):
"""Create a list of arguments for the prlimit command line."""
args = []
- if self.address_space:
- args.append('--as=%s' % self.address_space)
- if self.number_files:
- args.append('--nofile=%s' % self.number_files)
- if self.resident_set_size:
- args.append('--rss=%s' % self.resident_set_size)
+ for limit in self._LIMITS.keys():
+ val = getattr(self, limit)
+ if val is not None:
+ args.append("%s=%s" % (self._LIMITS[limit], val))
return args
View Lorry Controller Status