CLI: Add support for rlimits (apple#1129)

Closes apple#1097.

Author: dcantah

Sources/Services/ContainerAPIService/Client/Flags.swift

@@ -61,6 +61,15 @@ public struct Flags {
             )
         )
         public var cwd: String?
+
+        @Option(
+            name: .customLong("ulimit"),
+            help: .init(
+                "Set resource limits (format: <type>=<soft>[:<hard>])",
+                valueName: "limit"
+            )
+        )
+        public var ulimits: [String] = []
     }
 
     public struct Resource: ParsableArguments {

Sources/Services/ContainerAPIService/Client/Parser.swift

@@ -281,14 +281,17 @@ public struct Parser {
             user: processFlags.user, uid: processFlags.uid,
             gid: processFlags.gid, defaultUser: defaultUser)
 
+        let rlimits = try Parser.rlimits(processFlags.ulimits)
+
         return .init(
             executable: commandToRun.first!,
             arguments: [String](commandToRun.dropFirst()),
             environment: envvars,
             workingDirectory: workingDir,
             terminal: processFlags.tty,
             user: user,
-            supplementalGroups: additionalGroups
+            supplementalGroups: additionalGroups,
+            rlimits: rlimits
         )
     }
 
@@ -867,6 +870,114 @@ public struct Parser {
         return !label.ranges(of: pattern).isEmpty
     }
 
+    // TODO: When containerization supports all 16 (minus AS as it's not great) add
+    // them here.
+    private static let ulimitNameToRlimit: [String: String] = [
+        "core": "RLIMIT_CORE",
+        "cpu": "RLIMIT_CPU",
+        "data": "RLIMIT_DATA",
+        "fsize": "RLIMIT_FSIZE",
+        "memlock": "RLIMIT_MEMLOCK",
+        "nofile": "RLIMIT_NOFILE",
+        "nproc": "RLIMIT_NPROC",
+        "rss": "RLIMIT_RSS",
+        "stack": "RLIMIT_STACK",
+    ]
+
+    /// Parse ulimit specifications into Rlimit objects
+    /// Format: <type>=<soft>[:<hard>]
+    /// Examples:
+    ///   - nofile=1024:2048  (soft=1024, hard=2048)
+    ///   - nofile=1024       (soft=hard=1024)
+    ///   - nofile=unlimited  (soft=hard=UINT64_MAX)
+    ///   - nofile=1024:unlimited (soft=1024, hard=UINT64_MAX)
+    public static func rlimits(_ rawUlimits: [String]) throws -> [ProcessConfiguration.Rlimit] {
+        var rlimits: [ProcessConfiguration.Rlimit] = []
+        var seenTypes: Set<String> = []
+
+        for ulimit in rawUlimits {
+            let rlimit = try Parser.rlimit(ulimit)
+            if seenTypes.contains(rlimit.limit) {
+                throw ContainerizationError(
+                    .invalidArgument,
+                    message: "duplicate ulimit type: \(ulimit.split(separator: "=").first ?? "")"
+                )
+            }
+            seenTypes.insert(rlimit.limit)
+            rlimits.append(rlimit)
+        }
+
+        return rlimits
+    }
+
+    /// Parse a single ulimit specification
+    public static func rlimit(_ ulimit: String) throws -> ProcessConfiguration.Rlimit {
+        let parts = ulimit.split(separator: "=", maxSplits: 1)
+        guard parts.count == 2 else {
+            throw ContainerizationError(
+                .invalidArgument,
+                message: "invalid ulimit format '\(ulimit)': expected <type>=<soft>[:<hard>]"
+            )
+        }
+
+        let typeName = String(parts[0]).lowercased()
+        let valuesPart = String(parts[1])
+
+        guard let rlimitType = ulimitNameToRlimit[typeName] else {
+            let validTypes = ulimitNameToRlimit.keys.sorted().joined(separator: ", ")
+            throw ContainerizationError(
+                .invalidArgument,
+                message: "unsupported ulimit type '\(typeName)': valid types are \(validTypes)"
+            )
+        }
+
+        let valueParts = valuesPart.split(separator: ":", maxSplits: 1)
+        let soft: UInt64
+        let hard: UInt64
+
+        switch valueParts.count {
+        case 1:
+            // Single value: use for both soft and hard
+            soft = try parseRlimitValue(String(valueParts[0]), typeName: typeName)
+            hard = soft
+        case 2:
+            // Two values: soft:hard
+            soft = try parseRlimitValue(String(valueParts[0]), typeName: typeName)
+            hard = try parseRlimitValue(String(valueParts[1]), typeName: typeName)
+        default:
+            throw ContainerizationError(
+                .invalidArgument,
+                message: "invalid ulimit format '\(ulimit)': expected <type>=<soft>[:<hard>]"
+            )
+        }
+
+        if soft > hard {
+            throw ContainerizationError(
+                .invalidArgument,
+                message: "ulimit '\(typeName)' soft limit (\(soft)) cannot exceed hard limit (\(hard))"
+            )
+        }
+
+        return ProcessConfiguration.Rlimit(limit: rlimitType, soft: soft, hard: hard)
+    }
+
+    private static func parseRlimitValue(_ value: String, typeName: String) throws -> UInt64 {
+        let trimmed = value.trimmingCharacters(in: .whitespaces).lowercased()
+
+        if trimmed == "unlimited" || trimmed == "-1" {
+            return UInt64.max
+        }
+
+        guard let parsed = UInt64(trimmed) else {
+            throw ContainerizationError(
+                .invalidArgument,
+                message: "invalid ulimit value '\(value)' for '\(typeName)': must be a non-negative integer or 'unlimited'"
+            )
+        }
+
+        return parsed
+    }
+
     // MARK: Miscellaneous
 
     public static func parseBool(string: String) -> Bool? {

Tests/CLITests/Subcommands/Run/TestCLIRunCommand.swift

@@ -201,6 +201,92 @@ class TestCLIRunCommand1: CLITest {
             return
         }
     }
+
+    @Test func testRunCommandUlimitNofile() throws {
+        do {
+            let name = getTestName()
+            let softLimit = "1024"
+            let hardLimit = "2048"
+            try doLongRun(name: name, args: ["--ulimit", "nofile=\(softLimit):\(hardLimit)"])
+            defer {
+                try? doStop(name: name)
+            }
+
+            let inspectResp = try inspectContainer(name)
+            let rlimits = inspectResp.configuration.initProcess.rlimits
+            let nofileRlimit = rlimits.first { $0.limit == "RLIMIT_NOFILE" }
+            #expect(nofileRlimit != nil, "expected RLIMIT_NOFILE to be set")
+            #expect(nofileRlimit?.soft == UInt64(softLimit), "expected soft limit \(softLimit), got \(nofileRlimit?.soft ?? 0)")
+            #expect(nofileRlimit?.hard == UInt64(hardLimit), "expected hard limit \(hardLimit), got \(nofileRlimit?.hard ?? 0)")
+
+            var output = try doExec(name: name, cmd: ["sh", "-c", "ulimit -n"])
+            output = output.trimmingCharacters(in: .whitespacesAndNewlines)
+            #expect(output == softLimit, "expected ulimit -n to return \(softLimit), got \(output)")
+
+            try doStop(name: name)
+        } catch {
+            Issue.record("failed to run container \(error)")
+            return
+        }
+    }
+
+    @Test func testRunCommandUlimitNproc() throws {
+        do {
+            let name = getTestName()
+            let limit = "256"
+            try doLongRun(name: name, args: ["--ulimit", "nproc=\(limit)"])
+            defer {
+                try? doStop(name: name)
+            }
+            let inspectResp = try inspectContainer(name)
+            let rlimits = inspectResp.configuration.initProcess.rlimits
+            let nprocRlimit = rlimits.first { $0.limit == "RLIMIT_NPROC" }
+            #expect(nprocRlimit != nil, "expected RLIMIT_NPROC to be set")
+            #expect(nprocRlimit?.soft == UInt64(limit), "expected soft limit \(limit), got \(nprocRlimit?.soft ?? 0)")
+            #expect(nprocRlimit?.hard == UInt64(limit), "expected hard limit \(limit), got \(nprocRlimit?.hard ?? 0)")
+
+            var output = try doExec(name: name, cmd: ["sh", "-c", "ulimit -u"])
+            output = output.trimmingCharacters(in: .whitespacesAndNewlines)
+            #expect(output == limit, "expected ulimit -u to return \(limit), got \(output)")
+
+            try doStop(name: name)
+        } catch {
+            Issue.record("failed to run container \(error)")
+            return
+        }
+    }
+
+    @Test func testRunCommandMultipleUlimits() throws {
+        do {
+            let name = getTestName()
+            try doLongRun(
+                name: name,
+                args: [
+                    "--ulimit", "nofile=1024:2048",
+                    "--ulimit", "nproc=512",
+                    "--ulimit", "stack=8388608",
+                ])
+            defer {
+                try? doStop(name: name)
+            }
+            let inspectResp = try inspectContainer(name)
+            let rlimits = inspectResp.configuration.initProcess.rlimits
+            #expect(rlimits.count == 3, "expected 3 rlimits, got \(rlimits.count)")
+
+            let nofile = rlimits.first { $0.limit == "RLIMIT_NOFILE" }
+            let nproc = rlimits.first { $0.limit == "RLIMIT_NPROC" }
+            let stack = rlimits.first { $0.limit == "RLIMIT_STACK" }
+
+            #expect(nofile != nil && nofile?.soft == 1024 && nofile?.hard == 2048)
+            #expect(nproc != nil && nproc?.soft == 512 && nproc?.hard == 512)
+            #expect(stack != nil && stack?.soft == 8_388_608 && stack?.hard == 8_388_608)
+
+            try doStop(name: name)
+        } catch {
+            Issue.record("failed to run container \(error)")
+            return
+        }
+    }
 }
 
 class TestCLIRunCommand2: CLITest {