Summary
Currently, rlimits are only applied per-exec command via setrlimit() in the child process after fork() (crates/agentd/lib/session.rs). Users want the ability to set default rlimits at the VM/sandbox level so that every process inherits them automatically.
Current behavior
Rlimits must be specified on each exec invocation via the exec_with closure:
sb.exec_with("my-cmd", |e| {
e.args(["arg"])
.rlimit(RlimitResource::Nofile, 1024)
.rlimit_range(RlimitResource::Nproc, 512, 4096)
}).await?;Desired behavior
Rlimits can be set at the sandbox level and apply to all processes:
SandboxBuilder::new("my-sandbox")
.image("alpine:latest")
.rlimit(RlimitResource::Nofile, 1024)
.rlimit_range(RlimitResource::Nproc, 512, 4096)
.build()
.await?;Per-exec rlimits should still work and override the defaults.
Context
Many services expect system-wide resource limits to be set at init level rather than per-process.
Summary
Currently, rlimits are only applied per-exec command via
setrlimit()in the child process afterfork()(crates/agentd/lib/session.rs). Users want the ability to set default rlimits at the VM/sandbox level so that every process inherits them automatically.Current behavior
Rlimits must be specified on each exec invocation via the
exec_withclosure:Desired behavior
Rlimits can be set at the sandbox level and apply to all processes:
Per-exec rlimits should still work and override the defaults.
Context
Many services expect system-wide resource limits to be set at init level rather than per-process.