The original commit adding support for process limits only wired
up address space, max files and resident set size limits. This
is not sufficient to enable nova to protect qemu-img commands
against malicious images.
This commit adds support for the remaining limits supported
by python: core file size, cpu time, data size, file size,
locked memory size, max processes and stack size.
Related-bug: #1449062
Change-Id: I164c4b35e1357a0f80ed7fe00a7ae8f49df92e31
Add a new oslo_concurrency.prlimit module which is written to be used
on the command line:
python -m oslo_concurrency.prlimit --rss=RSS -- program arg1 ...
This module calls setrlimit() to restrict the resources and then
executes the program. Its command line is written to be the same than
the Linux prlimit system program.
Add a new ProcessLimits class processutils: resource limits on a
process.
Add an optional prlimit parameter to process_utils.execute(). If the
parameter is used, wrap the command through the new oslo_concurrency
prlimit wrapper.
Linux provides a prlimit command line tool which implements the same
feature (and even more), but it requires util-linux v2.21, and
OpenStack targets other operating systems like Solaris and FreeBSD.
Change-Id: Ib40aa62958ab9c157a2bd51d7ff3edb445556285
Related-Bug: 1449062