feat(host): set cgroup pids.max of container (#21051)

pkg/apis/container.go

@@ -67,6 +67,7 @@ type ContainerSpec struct {
 	Privileged         bool                      `json:"privileged"`
 	Lifecyle           *ContainerLifecyle        `json:"lifecyle"`
 	CgroupDevicesAllow []string                  `json:"cgroup_devices_allow"`
+	CgroupPidsMax      int                       `json:"cgroup_pids_max"`
 	SimulateCpu        bool                      `json:"simulate_cpu"`
 	ShmSizeMB          int                       `json:"shm_size_mb"`
 	SecurityContext    *ContainerSecurityContext `json:"security_context,omitempty"`

pkg/hostman/guestman/pod.go

@@ -782,6 +782,11 @@ func (s *sPodGuestInstance) StartContainer(ctx context.Context, userCred mcclien
 	if err := s.setContainerCgroupDevicesAllow(criId, input.Spec.CgroupDevicesAllow); err != nil {
 		return nil, errors.Wrap(err, "set cgroup devices allow")
 	}
+	if input.Spec.CgroupPidsMax > 0 {
+		if err := s.getCGUtil().SetPidsMax(criId, input.Spec.CgroupPidsMax); err != nil {
+			return nil, errors.Wrap(err, "set cgroup pids.max")
+		}
+	}
 	if err := s.doContainerStartPostLifecycle(ctx, criId, input); err != nil {
 		return nil, errors.Wrap(err, "do container lifecycle")
 	}

pkg/util/pod/cgroup.go

@@ -31,6 +31,7 @@ type CgroupUtil interface {
 	SetMemoryLimitBytes(ctrId string, bytes int64) error
 	SetCPUCfs(ctrId string, quota int64, period int64) error
 	SetDevicesAllow(ctrId string, allows []string) error
+	SetPidsMax(ctrId string, max int) error
 }
 
 type podCgroupV1Util struct {
@@ -86,3 +87,8 @@ func (p podCgroupV1Util) SetDevicesAllow(ctrId string, allows []string) error {
 	}
 	return nil
 }
+
+func (p podCgroupV1Util) SetPidsMax(ctrId string, max int) error {
+	pidFp := p.getContainerCGFilePath("pids", ctrId, "pids.max")
+	return p.write(pidFp, fmt.Sprintf("%d", max))
+}