MCorange/wings
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[security] enforce process limits at a per-container level to avoid abusive clients impacting other instances

Browse Source
This commit is contained in:
Dane Everitt
2021-06-20 16:54:00 -07:00
parent c0063d2c61
commit e0078eee0a
3 changed files with 32 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
environment/docker/container.go
View File

@@ -486,6 +486,7 @@ func (e *Environment) convertMounts() []mount.Mount {
func (e *Environment) resources() container.Resources {
l := e.Configuration.Limits()
pids := l.ProcessLimit()
return container.Resources{
Memory: l.BoundedMemoryLimit(),
@@ -497,5 +498,6 @@ func (e *Environment) resources() container.Resources {
BlkioWeight: l.IoWeight,
OomKillDisable: &l.OOMDisabled,
CpusetCpus: l.Threads,
PidsLimit: &pids,
}
}