diff options
| author |  MarkKoz <[email protected]> | 2021-01-10 14:43:09 -0800 |
|---|---|---|
| committer | MarkKoz <[email protected]> | 2021-01-10 17:04:59 -0800 |
| commit | c6319db3c5f2931055979c3cbfe2fc271aa47a17 (patch) | |
| tree | 57092a85781d67bf15a7cb1134c70c947a4ac462 | |
| parent | Add error handling to reading of the nsjail config (diff) | |
Add comments to justify why cgroup limits are set manually
| -rw-r--r-- | snekbox/nsjail.py | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/snekbox/nsjail.py b/snekbox/nsjail.py index d5659e5..3d88336 100644 --- a/snekbox/nsjail.py +++ b/snekbox/nsjail.py @@ -83,11 +83,17 @@ class NsJail: mem.mkdir(parents=True, exist_ok=True) # Swap limit cannot be set to a value lower than memory.limit_in_bytes. - # Therefore, this must be set first. + # Therefore, this must be set before the swap limit. + # + # Since child cgroups are dynamically created, the swap limit has to be set on the parent + # instead so that children inherit it. Given the swap's dependency on the memory limit, + # the memory limit must also be set on the parent. NsJail only sets the memory limit for + # child cgroups, not the parent. (mem / "memory.limit_in_bytes").write_text(mem_max, encoding="utf-8") try: # Swap limit is specified as the sum of the memory and swap limits. + # Therefore, setting it equal to the memory limit effectively disables swapping. (mem / "memory.memsw.limit_in_bytes").write_text(mem_max, encoding="utf-8") except PermissionError: log.warning( |