From 59897367c4685b58b80e02ced0f66d4de8f7e9ea Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Mon, 4 May 2020 19:19:46 -0700
Subject: [PATCH] cgroups/systemd: allow to set -1 as pids.limit

Currently, both systemd cgroup drivers (v1 and v2) only set
"TasksMax" unit property if the value > 0, so there is no
way to update the limit to -1 / unlimited / infinity / max.

Since systemd driver is backed by fs driver, and both fs and fs2
set the limit of -1 properly, it works, but systemd still has
the old value:

 # runc --systemd-cgroup update $CT --pids-limit 42
 # systemctl show runc-$CT.scope | grep TasksMax
 TasksMax=42
 # cat /sys/fs/cgroup/system.slice/runc-$CT.scope/pids.max
 42

 # ./runc --systemd-cgroup update $CT --pids-limit -1
 # systemctl show runc-$CT.scope | grep TasksMax=
 TasksMax=42
 # cat /sys/fs/cgroup/system.slice/runc-xx77.scope/pids.max
 max

Fix by changing the condition to allow -1 as a valid value.

NOTE other negative values are still being ignored by systemd drivers
(as it was done before). I am not sure whether this is correct, or
should we return an error.

A test case is added.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 libcontainer/cgroups/systemd/v1.go | 2 +-
 libcontainer/cgroups/systemd/v2.go | 2 +-
 tests/integration/update.bats      | 6 ++++++
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/libcontainer/cgroups/systemd/v1.go b/libcontainer/cgroups/systemd/v1.go
index a805f72c..5d324133 100644
--- a/libcontainer/cgroups/systemd/v1.go
+++ b/libcontainer/cgroups/systemd/v1.go
@@ -125,7 +125,7 @@ func genV1ResourcesProperties(c *configs.Cgroup) ([]systemdDbus.Property, error)
 			newProp("BlockIOWeight", uint64(c.Resources.BlkioWeight)))
 	}
 
-	if c.Resources.PidsLimit > 0 {
+	if c.Resources.PidsLimit > 0 || c.Resources.PidsLimit == -1 {
 		properties = append(properties,
 			newProp("TasksAccounting", true),
 			newProp("TasksMax", uint64(c.Resources.PidsLimit)))
diff --git a/libcontainer/cgroups/systemd/v2.go b/libcontainer/cgroups/systemd/v2.go
index b929e880..2fcf312a 100644
--- a/libcontainer/cgroups/systemd/v2.go
+++ b/libcontainer/cgroups/systemd/v2.go
@@ -92,7 +92,7 @@ func genV2ResourcesProperties(c *configs.Cgroup) ([]systemdDbus.Property, error)
 			newProp("CPUQuotaPerSecUSec", cpuQuotaPerSecUSec))
 	}
 
-	if c.Resources.PidsLimit > 0 {
+	if c.Resources.PidsLimit > 0 || c.Resources.PidsLimit == -1 {
 		properties = append(properties,
 			newProp("TasksAccounting", true),
 			newProp("TasksMax", uint64(c.Resources.PidsLimit)))
diff --git a/tests/integration/update.bats b/tests/integration/update.bats
index ca47f850..76d931f5 100644
--- a/tests/integration/update.bats
+++ b/tests/integration/update.bats
@@ -161,6 +161,12 @@ EOF
     check_cgroup_value "pids.max" 10
     check_systemd_value "TasksMax" 10
 
+    # unlimited
+    runc update test_update --pids-limit -1
+    [ "$status" -eq 0 ]
+    check_cgroup_value "pids.max" max
+    check_systemd_value "TasksMax" $SD_UNLIMITED
+
     # Revert to the test initial value via json on stdin
     runc update  -r - test_update <<EOF
 {