diff options
| author | Lennart Poettering <lennart@poettering.net> | 2018-05-07 17:59:18 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2018-05-17 20:45:54 +0200 |
| commit | bf428efb0776d45f12ac81dc67463663f92b552f (patch) | |
| tree | d3dbc31539bde61175285ec65b2283e33b88dccf /src/nspawn/nspawn-settings.c | |
| parent | 114c55f2d52808c8c3027d3cf4f7e3453f0a28d6 (diff) | |
| download | systemd-bf428efb0776d45f12ac81dc67463663f92b552f.tar.gz | |
nspawn: add new --rlimit= switch, and always set resource limits explicitly for our container payloads
This ensures we set the various resource limits of our container
explicitly on each invocation so that we inherit less from our callers
into the payload.
By default resource limits are now set to the same values Linux
generally passes to the host PID 1, thus minimizing needless differences
between host and container environments.
The limits are now also configurable using a new --rlimit= switch. This
is preparation for teaching nspawn native OCI runtime support as OCI
permits setting resource limits for container payloads, and it hence
probably makes sense if we do too.
Diffstat (limited to 'src/nspawn/nspawn-settings.c')
| -rw-r--r-- | src/nspawn/nspawn-settings.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/nspawn/nspawn-settings.c b/src/nspawn/nspawn-settings.c index 487514d40a..19bf1d4b94 100644 --- a/src/nspawn/nspawn-settings.c +++ b/src/nspawn/nspawn-settings.c @@ -12,6 +12,7 @@ #include "nspawn-settings.h" #include "parse-util.h" #include "process-util.h" +#include "rlimit-util.h" #include "socket-util.h" #include "string-util.h" #include "strv.h" @@ -80,6 +81,7 @@ Settings* settings_free(Settings *s) { free(s->working_directory); strv_free(s->syscall_whitelist); strv_free(s->syscall_blacklist); + rlimit_free_all(s->rlimit); strv_free(s->network_interfaces); strv_free(s->network_macvlan); |