Skip to content

runtime-spec: update pids.limit handling to match new guidance #4949

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

runtime-spec: update pids.limit handling to match new guidance #4949

wants to merge 3 commits into from
+166 −36

Conversation

@cyphar
Copy link
Member

@cyphar cyphar commented Oct 22, 2025
edited
Loading

Draft until opencontainers/cgroups#48 is merged.

The main update is actually in github.com/opencontainers/cgroups, but we
need to also update runtime-spec to a newer pre-release version to get
the updates from there as well.

In short, the behaviour change is now that "0" is treated as a valid
value to set in "pids.max", "-1" means "max" and unset/nil means "do
nothing". As described in the opencontainers/cgroups PR, this change is
actually backwards compatible because our internal state.json stores
PidsLimit, and that entry is marked as "omitempty". So, an old runc
would omit PidsLimit=0 in state.json, and this will be parsed by a new
runc as being "nil" -- and both would treat this case as "do not set
anything".

Fixes #4014
Closes #4015
Closes #4023
Signed-off-by: Aleksa Sarai [email protected]

@cyphar cyphar added this to the 1.4.0 milestone Oct 22, 2025
@cyphar cyphar marked this pull request as draft October 22, 2025 13:01
@cyphar cyphar mentioned this pull request Oct 22, 2025
Draft
@cyphar cyphar force-pushed the pids-limit-0 branch 2 times, most recently from 0cad003 to 53c6f1b Compare October 23, 2025 00:50
@cyphar
Copy link
Member Author

cyphar commented Oct 23, 2025

Given how close we are to 1.4.0, we should punt this for 1.4.1.

@cyphar cyphar modified the milestones: 1.4.0, 1.4.1 Oct 23, 2025
@cyphar cyphar mentioned this pull request Oct 24, 2025
Open
@cyphar cyphar force-pushed the pids-limit-0 branch 5 times, most recently from ae5145b to 9cbc6a3 Compare October 24, 2025 05:31
@cyphar cyphar modified the milestones: 1.4.1, 1.4.0 Oct 24, 2025
cyphar added 3 commits October 26, 2025 01:53
@cyphar
runtime-spec: update pids.limit handling to match new guidance
b932238 
The main update is actually in github.com/opencontainers/cgroups, but we
need to also update runtime-spec to a newer pre-release version to get
the updates from there as well.

In short, the behaviour change is now that "0" is treated as a valid
value to set in "pids.max", "-1" means "max" and unset/nil means "do
nothing". As described in the opencontainers/cgroups PR, this change is
actually backwards compatible because our internal state.json stores
PidsLimit, and that entry is marked as "omitempty". So, an old runc
would omit PidsLimit=0 in state.json, and this will be parsed by a new
runc as being "nil" -- and both would treat this case as "do not set
anything".

Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
tests: add pids.limit tests
bd85a0f 
Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
man: update 'runc update --pids-limit' text
cefb4e7 
Signed-off-by: Aleksa Sarai <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.4.0

Development

Successfully merging this pull request may close these issues.

Undefined (and potentially incorrect) behavior when pids limit is set to 0

1 participant

@cyphar