Merge pull request #16 from storageos/max-pids

Report effective max pid limit and optionally block if required minimum not met.
storageos · Oct 14, 2020 · 19cf38e · 19cf38e
2 parents 18be8b5 + 069fe83
commit 19cf38e
Show file tree

Hide file tree

Showing 3 changed files with 83 additions and 5 deletions.
diff --git a/daemonset.yaml b/daemonset.yaml
@@ -73,6 +73,10 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          - name: MINIMUM_MAX_PIDS_LIMIT
+            value: "1024"          
+          - name: RECOMMENDED_MAX_PIDS_LIMIT
+            value: "4096"          
         volumeMounts:
           - name: kernel-modules
             mountPath: /lib/modules

diff --git a/e2e.sh b/e2e.sh
@@ -2,6 +2,8 @@
 
 set -Eeuxo pipefail
 
+cluster="init"
+
 prepare_host() {
     sudo apt -y update
     sudo apt -y install linux-modules-extra-$(uname -r)
@@ -18,12 +20,14 @@ run_kind() {
     curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/"${K8S_VERSION}"/bin/linux/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/
     echo
 
-    echo "Create Kubernetes cluster with kind..."
-    # kind create cluster --image=kindest/node:"$K8S_VERSION"
-    kind create cluster --image storageos/kind-node:"$K8S_VERSION" --name kind-1
+    if [ $(kind get clusters | grep -c ^$cluster$) -eq 0 ]; then
+        echo "Create Kubernetes cluster with kind..."
+        # kind create cluster --image=kindest/node:"$K8S_VERSION"
+        kind create cluster --image storageos/kind-node:"$K8S_VERSION" --name "$cluster"
+    fi
 
     echo "Export kubeconfig..."
-    kind get kubeconfig --name="kind-1" > kubeconfig.yaml
+    kind get kubeconfig --name="$cluster" > kubeconfig.yaml
     export KUBECONFIG="kubeconfig.yaml"
     echo
 
@@ -50,7 +54,7 @@ main() {
     echo
 
     # Copy the init container image into KinD.
-    x=$(docker ps -f name=kind-1-control-plane -q)
+    x=$(docker ps -f name=${cluster}-control-plane -q)
     docker save storageos/init:test > init.tar
     docker cp init.tar $x:/init.tar
 
@@ -82,6 +86,7 @@ main() {
 
     echo "Checking init container exit code"
     exitCode=$(kubectl get pod $stospod --no-headers -o go-template='{{(index .status.initContainerStatuses 0).state.terminated.exitCode}}')
+    kubectl delete -f daemonset.yaml
     if [ "$exitCode" == "0" ]; then
         echo "init successful!"
         exit 0

diff --git a/scripts/02-limits/limits.sh b/scripts/02-limits/limits.sh
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+set -e
+
+# For a directory containeing the cgroup slice information, return the value of
+# pids.max, or 0 if set to "max". Return -1 exit code if the file doesn't exist.
+function read_max_pids() {
+    if [ ! -f ${1}/pids.max ]; then
+        return -1
+    fi
+    local max_pids=$(<${1}/pids.max)
+    if [ $max_pids == "max" ]; then
+        echo 0
+        return
+    fi
+    echo $max_pids
+}
+
+default_max_pids_limit=999999999
+max_pids_limit=$default_max_pids_limit
+dirprefix="/sys/fs/cgroup/pids"
+
+for cg in $(grep :pids: /proc/self/cgroup); do
+    # Parse out the slice field from the cgroup output.
+    # <cgroup_id>:<subystem>:<slice>
+    dirsuffix=$(echo "$cg" | awk -F\: '{print $3}')
+
+    # The slice field can have a prefix that is not part of the directory path.
+    # This must be stripped iteratively until we find the valid slice directory.
+    while [ ! -d "${dirprefix}/${dirsuffix}" ]; do
+        dirsuffix=${dirsuffix#*/}
+    done
+    dir="${dirprefix}/${dirsuffix}"
+
+    # Start at the current cgroup and traverse up the directory hierarchy
+    # reading max.pids in each.  The lowest value will be the effective max.pids
+    # value.
+    while [ -f "${dir}/pids.max" ]; do
+        max_pids=$(read_max_pids "${dir}")
+        if [[ $max_pids -gt 0 && $max_pids -lt $max_pids_limit ]]; then
+            max_pids_limit=$max_pids
+        fi
+        dir="${dir}/.."
+    done
+done
+
+# TBC: Don't fail if we can't determine limit.
+if [ $max_pids_limit -eq $default_max_pids_limit ]; then
+    echo "WARNING: Unable to determine effective max.pids limit"
+    exit 0
+fi
+
+# Fail if MINIMUM_MAX_PIDS_LIMIT is set and is greater than current limit.
+if [[ -n "${MINIMUM_MAX_PIDS_LIMIT}" && $MINIMUM_MAX_PIDS_LIMIT -gt $max_pids_limit ]]; then
+    echo "ERROR: Effective max.pids limit ($max_pids_limit) less than MINIMUM_MAX_PIDS_LIMIT ($MINIMUM_MAX_PIDS_LIMIT)"
+    exit 1
+fi
+
+if [ -n "${RECOMMENDED_MAX_PIDS_LIMIT}" ]; then
+    if [ $RECOMMENDED_MAX_PIDS_LIMIT -gt $max_pids_limit ]; then
+        echo "WARNING: Effective max.pids limit ($max_pids_limit) less than RECOMMENDED_MAX_PIDS_LIMIT ($RECOMMENDED_MAX_PIDS_LIMIT)"
+    else
+        echo "OK: Effective max.pids limit ($max_pids_limit) at least RECOMMENDED_MAX_PIDS_LIMIT ($RECOMMENDED_MAX_PIDS_LIMIT)"
+    fi
+    exit 0
+fi
+
+# No requirements set, just output current limit.
+echo "Effective max.pids limit: $max_pids_limit"