From: Michal Koutný Date: Mon, 14 Aug 2023 17:59:57 +0000 (+0200) Subject: cgroup: Restrict effective limits with global resource provision X-Git-Tag: v256-rc1~1320^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F28797%2Fhead;p=thirdparty%2Fsystemd.git cgroup: Restrict effective limits with global resource provision Global resource (whole system or root cg's (e.g. in a container)) is also a well-defined limit for memory and tasks, take it into account when calculating effective limits. --- diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index bd8b6a5719d..c2aa5b57e82 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -438,7 +438,7 @@ CPUWeight=20 DisableControllers=cpu / \ memory.max control group attribute. For details about this control group attribute, see Memory Interface Files. The effective configuration is reported as EffectiveMemoryMax= (the value is - the most stringent limit of the unit and parent slices). + the most stringent limit of the unit and parent slices and it is capped by physical memory). While StartupMemoryMax= applies to the startup and shutdown phases of the system, MemoryMax= applies to normal runtime of the system, and if the former is not set also to diff --git a/src/core/cgroup.c b/src/core/cgroup.c index f7b776337ae..60a8a550871 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -4253,6 +4253,17 @@ static uint64_t unit_get_effective_limit_one(Unit *u, CGroupLimitType type) { assert(u); assert(UNIT_HAS_CGROUP_CONTEXT(u)); + if (unit_has_name(u, SPECIAL_ROOT_SLICE)) + switch (type) { + case CGROUP_LIMIT_MEMORY_MAX: + case CGROUP_LIMIT_MEMORY_HIGH: + return physical_memory(); + case CGROUP_LIMIT_TASKS_MAX: + return system_tasks_max(); + default: + assert_not_reached(); + } + cc = unit_get_cgroup_context(u); switch (type) { /* Note: on legacy/hybrid hierarchies memory_max stays CGROUP_LIMIT_MAX unless configured