Merge branch 'gitlab-runner-docker-ulimit-docker-ulimit'

Author: saracen

common/config.go

@@ -10,6 +10,7 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"strconv"
 	"strings"
 	"time"
 
@@ -222,6 +223,7 @@ type DockerConfig struct {
 	HelperImageFlavor          string             `toml:"helper_image_flavor,omitempty" json:"helper_image_flavor" long:"helper-image-flavor" env:"DOCKER_HELPER_IMAGE_FLAVOR" description:"Set helper image flavor (alpine, ubuntu), defaults to alpine"`
 	ContainerLabels            map[string]string  `toml:"container_labels,omitempty" json:"container_labels,omitempty" long:"container-labels" description:"A toml table/json object of key-value. Value is expected to be a string. When set, this will create containers with the given container labels. Environment variables will be substituted for values here."`
 	EnableIPv6                 bool               `toml:"enable_ipv6,omitempty" json:"enable_ipv6" long:"enable-ipv6" description:"Enable IPv6 for automatically created networks. This is only takes affect when the feature flag FF_NETWORK_PER_BUILD is enabled."`
+	Ulimit                     map[string]string  `toml:"ulimit,omitempty" json:"ulimit" long:"ulimit" env:"DOCKER_ULIMIT" description:"Ulimit options for container"`
 }
 
 type InstanceConfig struct {
@@ -432,6 +434,35 @@ func (c KubernetesConfig) ConvertFromDockerPullPolicy(dockerPullPolicies []Docke
 	return policies, nil
 }
 
+func (c *DockerConfig) GetUlimits() ([]*units.Ulimit, error) {
+	ulimits := make([]*units.Ulimit, 0, len(c.Ulimit))
+
+	for tp, limits := range c.Ulimit {
+		ulimit := units.Ulimit{
+			Name: tp,
+		}
+
+		before, after, ok := strings.Cut(limits, ":")
+
+		var err error
+		ulimit.Soft, err = strconv.ParseInt(before, 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("invalid soft limit value: %w", err)
+		}
+
+		ulimit.Hard = ulimit.Soft
+		if ok {
+			ulimit.Hard, err = strconv.ParseInt(after, 10, 64)
+			if err != nil {
+				return nil, fmt.Errorf("invalid soft limit value: %w", err)
+			}
+		}
+
+		ulimits = append(ulimits, &ulimit)
+	}
+	return ulimits, nil
+}
+
 type KubernetesDNSPolicy string
 
 // Get returns one of the predefined values in kubernetes notation or an error if the value is not matched.

docs/configuration/advanced-configuration.md

@@ -324,6 +324,7 @@ The following settings define the Docker container parameters.
 | `tls_verify`                   | Enable or disable TLS verification of connections to Docker daemon. Disabled by default. |
 | `user`                         | Run all commands in the container as the specified user. |
 | `userns_mode`                  | The user namespace mode for the container and Docker services when user namespace remapping option is enabled. Available in Docker 1.10 or later. |
+| `ulimit`                       | Ulimit values that are passed to the container. Uses the same syntax as the Docker `--ulimit` flag. |
 | `volumes`                      | Additional volumes that should be mounted. Same syntax as the Docker `-v` flag. |
 | `volumes_from`                 | A list of volumes to inherit from another container in the form ``<container name>[:<ro|rw>]``. Access level defaults to read-write, but can be manually set to `ro` (read-only) or `rw` (read-write). |
 | `volume_driver`                | The volume driver to use for the container. |
@@ -375,6 +376,8 @@ Example:
   links = ["mysql_container:mysql"]
   allowed_images = ["ruby:*", "python:*", "php:*"]
   allowed_services = ["postgres:9", "redis:*", "mysql:*"]
+  [runners.docker.ulimit]
+    "rtprio" = "99"
   [[runners.docker.services]]
     name = "registry.example.com/svc1"
     alias = "svc1"

executors/docker/docker.go

@@ -624,6 +624,11 @@ func (e *executor) createHostConfig() (*container.HostConfig, error) {
 			"the valid values are: 'process', 'hyperv', 'default' and an empty string", isolation)
 	}
 
+	ulimits, err := e.Config.Docker.GetUlimits()
+	if err != nil {
+		return nil, err
+	}
+
 	return &container.HostConfig{
 		Resources: container.Resources{
 			Memory:            e.Config.Docker.GetMemory(),
@@ -636,6 +641,7 @@ func (e *executor) createHostConfig() (*container.HostConfig, error) {
 			DeviceRequests:    e.deviceRequests,
 			OomKillDisable:    e.Config.Docker.GetOomKillDisable(),
 			DeviceCgroupRules: e.Config.Docker.DeviceCgroupRules,
+			Ulimits:           ulimits,
 		},
 		DNS:           e.Config.Docker.DNS,
 		DNSSearch:     e.Config.Docker.DNSSearch,

executors/docker/docker_test.go

@@ -17,6 +17,7 @@ import (
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
+	"github.com/docker/go-units"
 	logrustest "github.com/sirupsen/logrus/hooks/test"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
@@ -1120,6 +1121,63 @@ func TestDockerSysctlsSetting(t *testing.T) {
 	testDockerConfigurationWithJobContainer(t, dockerConfig, cce)
 }
 
+func TestDockerUlimitSetting(t *testing.T) {
+	dockerConfig := &common.DockerConfig{}
+
+	tests := map[string]struct {
+		ulimit         map[string]string
+		expectedUlimit []*units.Ulimit
+		expectedError  bool
+	}{
+		"soft and hard values": {
+			ulimit: map[string]string{
+				"nofile": "1024:2048",
+			},
+			expectedUlimit: []*units.Ulimit{
+				{
+					Name: "nofile",
+					Soft: 1024,
+					Hard: 2048,
+				},
+			},
+			expectedError: false,
+		},
+		"single limit value": {
+			ulimit: map[string]string{
+				"nofile": "1024",
+			},
+			expectedUlimit: []*units.Ulimit{
+				{
+					Name: "nofile",
+					Soft: 1024,
+					Hard: 1024,
+				},
+			},
+			expectedError: false,
+		},
+		"invalid limit value": {
+			ulimit: map[string]string{
+				"nofile": "a",
+			},
+			expectedError: true,
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			dockerConfig.Ulimit = test.ulimit
+
+			ulimits, err := dockerConfig.GetUlimits()
+			if test.expectedError {
+				assert.Error(t, err)
+				return
+			}
+
+			assert.Equal(t, ulimits, test.expectedUlimit)
+		})
+	}
+}
+
 type testAllowedPrivilegedJobDescription struct {
 	expectedPrivileged bool
 	privileged         bool