From 14fd8401a2a1016d48b275b44239bf78cc2aefd8 Mon Sep 17 00:00:00 2001
From: Lantao Liu <lantaol@google.com>
Date: Fri, 23 Jun 2017 01:23:43 +0000
Subject: [PATCH] Set sandbox container resource limit.

Signed-off-by: Lantao Liu <lantaol@google.com>
---
 pkg/server/helpers.go          | 4 ++++
 pkg/server/sandbox_run.go      | 3 ++-
 pkg/server/sandbox_run_test.go | 2 ++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/pkg/server/helpers.go b/pkg/server/helpers.go
index 3f5572be6..dca23130d 100644
--- a/pkg/server/helpers.go
+++ b/pkg/server/helpers.go
@@ -57,6 +57,10 @@ const (
 const (
 	// defaultSandboxImage is the image used by sandbox container.
 	defaultSandboxImage = "gcr.io/google_containers/pause:3.0"
+	// defaultSandboxOOMAdj is default omm adj for sandbox container. (kubernetes#47938).
+	defaultSandboxOOMAdj = -998
+	// defaultSandboxCPUshares is default cpu shares for sandbox container.
+	defaultSandboxCPUshares = 2
 	// defaultShmSize is the default size of the sandbox shm.
 	defaultShmSize = int64(1024 * 1024 * 64)
 	// relativeRootfsPath is the rootfs path relative to bundle path.
diff --git a/pkg/server/sandbox_run.go b/pkg/server/sandbox_run.go
index 1e30af323..46b35b49e 100644
--- a/pkg/server/sandbox_run.go
+++ b/pkg/server/sandbox_run.go
@@ -326,7 +326,8 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
 
 	// TODO(random-liu): [P2] Set apparmor and seccomp from annotations.
 
-	// TODO(random-liu): [P1] Set default sandbox container resource limit.
+	g.SetLinuxResourcesCPUShares(uint64(defaultSandboxCPUshares))
+	g.SetLinuxResourcesOOMScoreAdj(int(defaultSandboxOOMAdj))
 
 	return g.Spec(), nil
 }
diff --git a/pkg/server/sandbox_run_test.go b/pkg/server/sandbox_run_test.go
index e2b4e2df5..24c5c6cd9 100644
--- a/pkg/server/sandbox_run_test.go
+++ b/pkg/server/sandbox_run_test.go
@@ -68,6 +68,8 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
 		assert.Contains(t, spec.Process.Env, "a=b", "c=d")
 		assert.Equal(t, []string{"/pause", "forever"}, spec.Process.Args)
 		assert.Equal(t, "/workspace", spec.Process.Cwd)
+		assert.EqualValues(t, *spec.Linux.Resources.CPU.Shares, defaultSandboxCPUshares)
+		assert.EqualValues(t, *spec.Linux.Resources.OOMScoreAdj, defaultSandboxOOMAdj)
 	}
 	return config, imageConfig, specCheck
 }