Merge pull request #1327 from kernelkit/container-limits

Container limits

Author: mattiaswal

board/common/rootfs/etc/finit.d/available/[email protected]

@@ -5,4 +5,5 @@
 # 'podman load', must not have a timeout.
 sysv    log:prio:local1,tag:%i kill:30 pid:!/run/container:%i.pid \
 	pre:0,/usr/sbin/container cleanup:0,/usr/sbin/container   \
+	cgroup.system,delegate					  \
 	[2345] <!> :%i container -n %i -- container %i

board/common/rootfs/usr/sbin/container

@@ -411,10 +411,20 @@ create()
 	logging="--log-driver syslog"
     fi
 
+    # Build resource limit arguments
+    resource=""
+    if [ -n "$memory" ]; then
+	resource="$resource --memory=$memory"
+    fi
+    if [ -n "$cpu_limit" ]; then
+	resource="$resource --cpu-quota=$cpu_limit"
+    fi
+
     # When we get here we've already fetched, or pulled, the image
-    args="$args --read-only --replace --quiet --cgroup-parent=containers $caps"
+    args="$args --read-only --replace --quiet $caps"
+    args="$args --cgroups=enabled --cgroupns=host --cgroup-parent=system/container@$name"
     args="$args --restart=$restart --systemd=false --tz=local $privileged"
-    args="$args $vol $mount $hostname $entrypoint $env $port $logging"
+    args="$args $vol $mount $hostname $entrypoint $env $port $logging $resource"
     pidfile=/run/container:${name}.pid
 
     [ -n "$quiet" ] || log "---------------------------------------"
@@ -716,6 +726,8 @@ options:
       --log-path PATH      Path for k8s-file log pipe
   -m, --mount HOST:DEST    Bind mount a read-only file inside a container
       --manual             Do not start container automatically after creation
+      --memory BYTES       Memory limit in bytes (supports K/M/G suffix)
+      --cpu-limit LIMIT    CPU limit in millicores (1000m = 100% of 1 core)
   -n, --name NAME          Alternative way of supplying name to start/stop/restart
       --privileged         Give container extended privileges
   -p, --publish PORT       Publish ports when creating container
@@ -836,6 +848,14 @@ while [ "$1" != "" ]; do
 	--manual)
 	    manual=true
 	    ;;
+	--memory)
+	    shift
+	    memory="$1"
+	    ;;
+	--cpu-limit)
+	    shift
+	    cpu_limit="$1"
+	    ;;
 	-n | --name)
 	    shift
 	    name="$1"

package/finit/0001-Increase-MAX_ID_LEN-to-support-longer-service-identi.patch

@@ -1,5 +1,5 @@
 # From https://github.com/troglobit/finit/releases/
-sha256  7c128119129324050ff7e5b56d0f33fa152fe254d035c0d0c6f72dc75d6786f3  finit-4.14.tar.gz
+sha256  7ccbcead4e3e6734c81a8c5445f4a27738f19a4ab367d702513a201db9b618c7  finit-4.15-rc1.tar.gz
 
 # Locally calculated
 sha256  868cb6c5414933a48db11186042cfe65c87480d326734bc6cf0e4b19b4a2e52a  LICENSE

package/finit/finit.hash

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-FINIT_VERSION = 4.14
+FINIT_VERSION = 4.15-rc1
 FINIT_SITE = https://github.com/troglobit/finit/releases/download/$(FINIT_VERSION)
 FINIT_LICENSE = MIT
 FINIT_LICENSE_FILES = LICENSE

package/finit/finit.mk

@@ -294,6 +294,25 @@ static int add(const char *name, struct lyd_node *cif)
 			fprintf(fp, " --checksum sha512:%s", string);
 	}
 
+	/* Add resource limits for Podman to enforce via cgroups */
+	node = lydx_get_descendant(lyd_child(cif), "resource-limit", NULL);
+	if (node) {
+		struct lyd_node *mem_node, *cpu_node;
+
+		/* Memory limit in KiB, Podman accepts with 'k' suffix */
+		mem_node = lydx_get_descendant(lyd_child(node), "memory", NULL);
+		if (mem_node)
+			fprintf(fp, " --memory %sk", lyd_get_value(mem_node));
+
+		/* CPU limit in millicores, convert to quota (microseconds per 100ms) */
+		cpu_node = lydx_get_descendant(lyd_child(node), "cpu", NULL);
+		if (cpu_node) {
+			uint32_t millicores = strtoul(lyd_get_value(cpu_node), NULL, 10);
+			uint32_t quota = millicores * 100;  /* 1000m → 100000µs, 2000m → 200000µs */
+			fprintf(fp, " --cpu-limit %u", quota);
+		}
+	}
+
 	fprintf(fp, " create %s %s", name, image);
 
  	if ((string = lydx_get_cattr(cif, "command")))

src/confd/src/containers.c

@@ -22,6 +22,13 @@ module infix-containers {
     prefix infix-sys;
   }
 
+  revision 2025-12-09 {
+    description "Add resource management:
+                  - Add resource-limit container with memory and cpu configuration.
+                  - Add resource-usage operational data for live resource usage statistics.";
+    reference "internal";
+  }
+
   revision 2025-10-12 {
     description "Two major changes:
                   - Add dedicated 'ident' type for container and volume names.
@@ -341,6 +348,86 @@ module infix-containers {
 	}
       }
 
+      container resource-limit {
+	description "Resource limits for the container.";
+
+	leaf memory {
+	  description "Maximum memory limit in kibibytes, default: unlimited.";
+	  type uint64;
+	  units "KiB";
+	}
+
+	leaf cpu {
+	  description "CPU limit in millicores, default: unlimited.
+
+                       Millicores represent thousandths of a CPU core:
+                         500  = 0.5 cores (50% of one core)
+                         1000 = 1.0 cores (one full core)
+                         2000 = 2.0 cores (two full cores)
+                         3500 = 3.5 cores
+
+                       This is converted to cgroup cpu.quota internally.";
+	  type uint32;
+	  units "millicores";
+	}
+      }
+
+      container resource-usage {
+	description "Runtime container resource usage statistics.";
+	config false;
+
+	leaf memory {
+	  description "Used memory in kibibytes.";
+	  type uint64;
+	  units "KiB";
+	}
+
+	leaf cpu {
+	  description "CPU usage percentage.";
+	  type decimal64 {
+	    fraction-digits 2;
+	  }
+	  units "percent";
+	}
+
+	container block-io {
+	  description "Block I/O statistics";
+
+	  leaf read {
+	    description "Block I/O read in kibibytes.";
+	    type uint64;
+	    units "KiB";
+	  }
+
+	  leaf write {
+	    description "Block I/O write in kibibytes.";
+	    type uint64;
+	    units "KiB";
+	  }
+	}
+
+	container net-io {
+	  description "Network I/O statistics";
+
+	  leaf received {
+	    description "Network I/O received in kibibytes.";
+	    type uint64;
+	    units "KiB";
+	  }
+
+	  leaf sent {
+	    description "Network I/O sent in kibibytes.";
+	    type uint64;
+	    units "KiB";
+	  }
+	}
+
+	leaf pids {
+	  description "Number of processes/threads.";
+	  type uint32;
+	}
+      }
+
       list mount {
         description "Files, content, and directories to mount inside container.";
         key name;

src/confd/yang/confd/infix-containers.yang

@@ -1,5 +1,5 @@
 # -*- sh -*-
 MODULES=(
     "infix-interfaces -e containers"
-    "infix-containers@2025-10-12.yang"
+    "infix-containers@2025-12-09.yang"
 )