Some refactoring on PidsLimit

[thaJeztah]

Some follow-ups to #38791 (first commit is #38791)

Normalize values for pids-limit

• Don't set PidsLimit when creating a container and no limit was set (or the limit was set to "unlimited")
• Don't set PidsLimit if the host does not have pids-limit support (previously "unlimited" was set).
• Do not generate a warning if the host does not have pids-limit support, but pids-limit was set to unlimited (having no limit set, or the limit set to "unlimited" is equivalent, so no warning is nescessary in that case).
• When updating a container, convert 0, and -1 to "unlimited" (0).

Update TestUpdatePidsLimit to be more atomic

Create a new container for each subtest, so that individual subtests are self-contained, and there's no need to execute them in the exact order, or resetting the container in between.

This makes the test slower (6.54s vs 3.43s), but reduced the difference by using network=host, which made a substantial difference (without network=host, the test took more than twice as long: 13.96s).

[codecov]

Codecov Report

Merging #38793 into master will decrease coverage by <.01%.
The diff coverage is 22.22%.

@@            Coverage Diff             @@
##           master   #38793      +/-   ##
==========================================
- Coverage   36.47%   36.46%   -0.01%     
==========================================
  Files         613      613              
  Lines       45814    45845      +31     
==========================================
+ Hits        16709    16716       +7     
- Misses      26823    26848      +25     
+ Partials     2282     2281       -1

[thaJeztah]

Was in doubt if I should change this to a non-pointer to make it easier to use (and if no limit is needed, don't pass WithPidsLimit())

[cpuguy83]

I can see both ways here. In the end I think making a pointer is simpler than dealing with filtering options... e.g.

opts := []ConfigOpts{WithFoo,WithBar}
if hasLimit {
  opts = append(opts, WithPidsLimit(limit))
}
container.Run(..., opts...)

[MHBauer]

needs rebase on #38791 I think?

[MHBauer]

seems like a valid choice. we're not doing anything with the network here.

[MHBauer]

good comment

[MHBauer]

nice cleanup of the comment.

[thaJeztah]

rebased; PTAL

[cpuguy83]

Oy, the more I look at this the more I'm worried about the change we made to support updates for pids limit.

This change LGTM, though.

[cpuguy83]

nit: I don't think this is needed at this point.

[thaJeztah]

hm.. possibly; I might have run into a situation where it was nil, but perhaps that was when I was working on the test. Don't think it hurts to have it 😅

[thaJeztah]

Oy, the more I look at this the more I'm worried about the change we made to support updates for pids limit.

I was trying to make the flow more consistent (some attempts in #38676). I think one of the problems we have currently is that in many cases, the (Host-)Config we store on disk is reflecting the JSON we sent over the API. Perhaps this was the design, but it means that API conventions trickle down all the way into the daemon, so when converting that config to an OCI spec, we have to keep the API conventions ("over the wire format") into account.

I've been following some of the code-paths, and validation of values is interweaved throughout the codebase; here's some notes I was taking;

-> postContainersCreate
  -> containerRouter.decoder.DecodeConfig
    -> runconfig.decodeContainerConfig
      -> ContainerConfigWrapper.getHostConfig (modifies config for backward-compatibility)
      -> validateNetMode
        -> validateNetContainerMode
      -> validateIsolation
      -> validateQoS
      -> validateResources (checks if kernel supports requested options)
      -> validatePrivileged (platform-specific validation; error on Windows for privileged)
      -> validateReadonlyRootfs (platform-specific validation; error on Windows as it's not supported)
  -> do some manipulation of values related to API versions
  -> backend.ContainerCreate
    -> daemon.containerCreate
      -> daemon.adaptContainerSettings (updates passed configuration, also does some validation)
      -> daemon.validateContainerConfig
        -> translateWorkingDir (modifies working-dir based on platform)
      -> daemon.validateContainerHostConfig
        -> validateHostConfig
        -> verifyPlatformContainerSettings
      -> daemon.verifyNetworkingConfig

I think what would be nice if we would handle the API "conversion" in the API code (where possible), so that the config as stored on disk could more easily be converted to an OCI-spec without having to handle those conversions (again), and an "update" would be more of a "reconciliation". Validation might become easier then as well.

Probably that would be problematic for upgrade scenarios (configs created by older versions of the daemon), and there's likely many things I didn't consider.

Also; I keep looking at our tests, and thinking that the client we use in our tests has a much nicer interface than the API client (with the functional arguments) (disclaimer: I've become a bit of a fan of those 😅)

[MHBauer]

I thought I had decoupled the API, but it looks like it's back to sharing structs.

LGTM