docker: clamp CPU shares to minimum of 2 (#26081)

In #25963 we added normalization of CPU shares for large hosts where the total compute was larger than the maximum CPU shares. But if the result after normalization is less than 2, runc will have an integer overflow. We prevent this in the shared executor for the `exec`/`rawexec` driver by clamping to the safe minimum value. Do this for the `docker` driver as well and add test coverage of it for the shared executor too. Fixes: https://github.com/hashicorp/nomad/issues/26080 Ref: https://github.com/hashicorp/nomad/pull/25963
2026-01-01 16:05:42 +03:00 · 2025-06-19 13:48:06 -04:00
parent 7bfc04576a
commit c8dcd3c2db
4 changed files with 21 additions and 1 deletions
--- a/drivers/shared/executor/executor_linux_test.go
+++ b/drivers/shared/executor/executor_linux_test.go
@@ -1089,6 +1089,9 @@ func TestExecutor_clampCPUShares(t *testing.T) {
 	le.compute.TotalCompute = MaxCPUShares + 1
 	must.Eq(t, 262143, le.clampCpuShares(MaxCPUShares))

+	le.compute.TotalCompute = MaxCPUShares + 1
+	must.Eq(t, 2, le.clampCpuShares(1))
+
 	le.compute = cpustats.Compute{TotalCompute: MaxCPUShares * 2}
 	must.Eq(t, 500, le.clampCpuShares(1000))
 	must.Eq(t, MaxCPUShares/2, le.clampCpuShares(MaxCPUShares))