containers · openshift-merge-robot · Oct 12, 2020 · Sep 28, 2020
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
@@ -28,13 +28,16 @@ import (
 	"github.com/sirupsen/logrus"
 	v1apps "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 )
 
 const (
 	// https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
 	kubeDirectoryPermission = 0755
 	// https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
 	kubeFilePermission = 0644
+	// Kubernetes sets CPUPeriod to 100000us (100ms): https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
+	defaultCPUPeriod = 100000
 )
 
 func (ic *ContainerEngine) PlayKube(ctx context.Context, path string, options entities.PlayKubeOptions) (*entities.PlayKubeReport, error) {
@@ -506,6 +509,27 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container
 	// but apply to the containers with the prefixed name
 	securityConfig.SeccompProfilePath = seccompPaths.findForContainer(containerYAML.Name)
 
+	var err error
+	milliCPU, err := quantityToInt64(containerYAML.Resources.Limits.Cpu())
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to set CPU quota")
+	}
+	if milliCPU > 0 {
+		containerConfig.Resources.CPUPeriod = defaultCPUPeriod
+		// CPU quota is a fraction of the period: milliCPU / 1000.0 * period
+		// Or, without floating point math:
+		containerConfig.Resources.CPUQuota = milliCPU * defaultCPUPeriod / 1000
+	}
+
+	containerConfig.Resources.Memory, err = quantityToInt64(containerYAML.Resources.Limits.Memory())
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to set memory limit")
+	}
+	containerConfig.Resources.MemoryReservation, err = quantityToInt64(containerYAML.Resources.Requests.Memory())
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to set memory reservation")
+	}
+
 	containerConfig.Command = []string{}
 	if imageData != nil && imageData.Config != nil {
 		containerConfig.Command = imageData.Config.Entrypoint
@@ -748,3 +772,15 @@ func verifySeccompPath(path string, profileRoot string) (string, error) {
 		return "", errors.Errorf("invalid seccomp path: %s", path)
 	}
 }
+
+func quantityToInt64(quantity *resource.Quantity) (int64, error) {
+	if i, ok := quantity.AsInt64(); ok {
+		return i, nil
+	}
+
+	if i, ok := quantity.AsDec().Unscaled(); ok {
+		return i, nil
+	}
+
+	return 0, errors.Errorf("Quantity cannot be represented as int64: %v", quantity)
+}
diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go
@@ -612,6 +612,15 @@ func SkipIfRootlessCgroupsV1(reason string) {
 	}
 }
 
+func SkipIfUnprevilegedCPULimits() {
+	info := GetHostDistributionInfo()
+	if isRootless() &&
+		info.Distribution == "fedora" &&
+		(info.Version == "31" || info.Version == "32") {
+		ginkgo.Skip("Rootless Fedora doesn't have permission to set CPU limits before version 33")
+	}
+}
+
 func SkipIfRootless(reason string) {
 	checkReason(reason)
 	if os.Geteuid() != 0 {

diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
@@ -6,6 +6,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"text/template"
 
@@ -111,7 +112,19 @@ spec:
     image: {{ .Image }}
     name: {{ .Name }}
     imagePullPolicy: {{ .PullPolicy }}
-    resources: {}
+    {{- if or .CpuRequest .CpuLimit .MemoryRequest .MemoryLimit }}
+    resources:
+      {{- if or .CpuRequest .MemoryRequest }}
+      requests:
+        {{if .CpuRequest }}cpu: {{ .CpuRequest }}{{ end }}
+        {{if .MemoryRequest }}memory: {{ .MemoryRequest }}{{ end }}
+      {{- end }}
+      {{- if or .CpuLimit .MemoryLimit }}
+      limits:
+        {{if .CpuLimit }}cpu: {{ .CpuLimit }}{{ end }}
+        {{if .MemoryLimit }}memory: {{ .MemoryLimit }}{{ end }}
+      {{- end }}
+    {{- end }}
     {{ if .SecurityContext }}
     securityContext:
       allowPrivilegeEscalation: true
@@ -223,7 +236,19 @@ spec:
         image: {{ .Image }}
         name: {{ .Name }}
         imagePullPolicy: {{ .PullPolicy }}
-        resources: {}
+        {{- if or .CpuRequest .CpuLimit .MemoryRequest .MemoryLimit }}
+        resources:
+          {{- if or .CpuRequest .MemoryRequest }}
+          requests:
+            {{if .CpuRequest }}cpu: {{ .CpuRequest }}{{ end }}
+            {{if .MemoryRequest }}memory: {{ .MemoryRequest }}{{ end }}
+          {{- end }}
+          {{- if or .CpuLimit .MemoryLimit }}
+          limits:
+            {{if .CpuLimit }}cpu: {{ .CpuLimit }}{{ end }}
+            {{if .MemoryLimit }}memory: {{ .MemoryLimit }}{{ end }}
+          {{- end }}
+        {{- end }}
         {{ if .SecurityContext }}
         securityContext:
           allowPrivilegeEscalation: true
@@ -261,6 +286,8 @@ var (
 	defaultDeploymentName = "testDeployment"
 	defaultConfigMapName  = "testConfigMap"
 	seccompPwdEPERM       = []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
+	// CPU Period in ms
+	defaultCPUPeriod = 100
 )
 
 func writeYaml(content string, fileName string) error {
@@ -503,6 +530,10 @@ type Ctr struct {
 	Image           string
 	Cmd             []string
 	Arg             []string
+	CpuRequest      string
+	CpuLimit        string
+	MemoryRequest   string
+	MemoryLimit     string
 	SecurityContext bool
 	Caps            bool
 	CapAdd          []string
@@ -521,7 +552,25 @@ type Ctr struct {
 // getCtr takes a list of ctrOptions and returns a Ctr with sane defaults
 // and the configured options
 func getCtr(options ...ctrOption) *Ctr {
-	c := Ctr{defaultCtrName, defaultCtrImage, defaultCtrCmd, defaultCtrArg, true, false, nil, nil, "", "", "", false, "", "", false, []Env{}, []EnvFrom{}}
+	c := Ctr{
+		Name:            defaultCtrName,
+		Image:           defaultCtrImage,
+		Cmd:             defaultCtrCmd,
+		Arg:             defaultCtrArg,
+		SecurityContext: true,
+		Caps:            false,
+		CapAdd:          nil,
+		CapDrop:         nil,
+		PullPolicy:      "",
+		HostIP:          "",
+		Port:            "",
+		VolumeMount:     false,
+		VolumeMountPath: "",
+		VolumeName:      "",
+		VolumeReadOnly:  false,
+		Env:             []Env{},
+		EnvFrom:         []EnvFrom{},
+	}
 	for _, option := range options {
 		option(&c)
 	}
@@ -548,6 +597,30 @@ func withImage(img string) ctrOption {
 	}
 }
 
+func withCpuRequest(request string) ctrOption {
+	return func(c *Ctr) {
+		c.CpuRequest = request
+	}
+}
+
+func withCpuLimit(limit string) ctrOption {
+	return func(c *Ctr) {
+		c.CpuLimit = limit
+	}
+}
+
+func withMemoryRequest(request string) ctrOption {
+	return func(c *Ctr) {
+		c.MemoryRequest = request
+	}
+}
+
+func withMemoryLimit(limit string) ctrOption {
+	return func(c *Ctr) {
+		c.MemoryLimit = limit
+	}
+}
+
 func withSecurityContext(sc bool) ctrOption {
 	return func(c *Ctr) {
 		c.SecurityContext = sc
@@ -648,7 +721,12 @@ type EnvFrom struct {
 	From string
 }
 
-var _ = Describe("Podman generate kube", func() {
+func milliCPUToQuota(milliCPU string) int {
+	milli, _ := strconv.Atoi(strings.Trim(milliCPU, "m"))
+	return milli * defaultCPUPeriod
+}
+
+var _ = Describe("Podman play kube", func() {
 	var (
 		tempdir    string
 		err        error
@@ -1324,4 +1402,49 @@ spec:
 			Expect(inspect.OutputToString()).To(ContainSubstring(correctLabels))
 		}
 	})
+
+	It("podman play kube allows setting resource limits", func() {
+		SkipIfContainerized("Resource limits require a running systemd")
+		SkipIfRootlessCgroupsV1("Limits require root or cgroups v2")
+		SkipIfUnprevilegedCPULimits()
+		podmanTest.CgroupManager = "systemd"
+
+		var (
+			numReplicas           int32  = 3
+			expectedCpuRequest    string = "100m"
+			expectedCpuLimit      string = "200m"
+			expectedMemoryRequest string = "10000000"
+			expectedMemoryLimit   string = "20000000"
+		)
+
+		expectedCpuQuota := milliCPUToQuota(expectedCpuLimit)
+
+		deployment := getDeployment(
+			withReplicas(numReplicas),
+			withPod(getPod(withCtr(getCtr(
+				withCpuRequest(expectedCpuRequest),
+				withCpuLimit(expectedCpuLimit),
+				withMemoryRequest(expectedMemoryRequest),
+				withMemoryLimit(expectedMemoryLimit),
+			)))))
+		err := generateKubeYaml("deployment", deployment, kubeYaml)
+		Expect(err).To(BeNil())
+
+		kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
+		kube.WaitWithDefaultTimeout()
+		Expect(kube.ExitCode()).To(Equal(0))
+
+		for _, pod := range getPodNamesInDeployment(deployment) {
+			inspect := podmanTest.Podman([]string{"inspect", getCtrNameInPod(&pod), "--format", `
+CpuPeriod: {{ .HostConfig.CpuPeriod }}
+CpuQuota: {{ .HostConfig.CpuQuota }}
+Memory: {{ .HostConfig.Memory }}
+MemoryReservation: {{ .HostConfig.MemoryReservation }}`})
+			inspect.WaitWithDefaultTimeout()
+			Expect(inspect.ExitCode()).To(Equal(0))
+			Expect(inspect.OutputToString()).To(ContainSubstring(fmt.Sprintf("%s: %d", "CpuQuota", expectedCpuQuota)))
+			Expect(inspect.OutputToString()).To(ContainSubstring("MemoryReservation: " + expectedMemoryRequest))
+			Expect(inspect.OutputToString()).To(ContainSubstring("Memory: " + expectedMemoryLimit))
+		}
+	})
 })