Enforce cgroup limits at pod level

rawahars · rawahars · commit 4ab361bf9af2 · 2026-01-09T02:39:30.000+05:30
Signed-off-by: Harsh Rawat &lt;harshrawat@microsoft.com&gt;
diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go
@@ -322,7 +322,7 @@ func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VM
 					}).Info("No memory limit found in sandbox container spec")
 				}
 
-				if err := h.CreateVirtualPod(ctx, virtualPodID, virtualPodID, networkNamespace, memoryLimit); err != nil {
+				if err := h.CreateVirtualPod(ctx, virtualPodID, virtualPodID, networkNamespace, settings.OCISpecification); err != nil {
 					return nil, errors.Wrapf(err, "failed to create virtual pod %s", virtualPodID)
 				}
 			}
@@ -1305,7 +1305,7 @@ func (h *Host) InitializeVirtualPodSupport(virtualPodsCgroup cgroups.Cgroup) {
 }
 
 // CreateVirtualPod creates a new virtual pod with its own cgroup and network namespace
-func (h *Host) CreateVirtualPod(ctx context.Context, virtualSandboxID, masterSandboxID, networkNamespace string, memoryLimit *int64) error {
+func (h *Host) CreateVirtualPod(ctx context.Context, virtualSandboxID, masterSandboxID, networkNamespace string, pSpec *specs.Spec) error {
 	h.virtualPodsMutex.Lock()
 	defer h.virtualPodsMutex.Unlock()
 
@@ -1327,18 +1327,15 @@ func (h *Host) CreateVirtualPod(ctx context.Context, virtualSandboxID, masterSan
 	}
 	cgroupPath := path.Join(parentPath, virtualSandboxID)
 
-	// Create the cgroup for this virtual pod with memory limit if provided
+	// Create the cgroup for this virtual pod with resource limits if provided
 	resources := &specs.LinuxResources{}
-	if memoryLimit != nil {
-		resources.Memory = &specs.LinuxMemory{
-			Limit: memoryLimit,
-		}
+	if pSpec != nil && pSpec.Linux != nil && pSpec.Linux.Resources != nil {
+		resources = pSpec.Linux.Resources
 		logrus.WithFields(logrus.Fields{
 			"virtualSandboxID": virtualSandboxID,
-			"memoryLimit":      *memoryLimit,
-		}).Info("Creating virtual pod with memory limit")
+		}).Info("Creating virtual pod with specified resources")
 	} else {
-		logrus.WithField("virtualSandboxID", virtualSandboxID).Info("Creating virtual pod without memory limit")
+		logrus.WithField("virtualSandboxID", virtualSandboxID).Info("Creating pod cgroup with default resources as none were specified")
 	}
 
 	cgroupControl, err := cgroups.New(cgroups.StaticPath(cgroupPath), resources)
diff --git a/internal/hcsoci/hcsdoc_lcow.go b/internal/hcsoci/hcsdoc_lcow.go
@@ -38,6 +38,19 @@ func createLCOWSpec(ctx context.Context, coi *createOptionsInternal) (*specs.Spe
 	// Hooks are not supported (they should be run in the host)
 	spec.Hooks = nil
 
+	// Set default CPU period and quota if not set for LCOW containers.
+	if spec.Linux != nil &&
+		spec.Linux.Resources != nil &&
+		spec.Linux.Resources.CPU != nil {
+
+		if spec.Linux.Resources.CPU.Period != nil && *spec.Linux.Resources.CPU.Period == 0 {
+			*spec.Linux.Resources.CPU.Period = 100000 // Default CPU period
+		}
+		if spec.Linux.Resources.CPU.Quota != nil && *spec.Linux.Resources.CPU.Quota == 0 {
+			*spec.Linux.Resources.CPU.Quota = -1 // No CPU limit
+		}
+	}
+
 	// Clear unsupported features
 	spec.Linux.CgroupsPath = "" // GCS controls its cgroups hierarchy on its own.
 	if spec.Linux.Resources != nil {
