opencontainers · askervin · Nov 4, 2025 · Nov 6, 2025 · Nov 6, 2025 · Apr 22, 2025
@@ -539,7 +539,7 @@ func (cg *CgroupV1) GetMemoryData(pid int, cgPath string) (*rspec.LinuxMemory, e
 				return nil, err
 			}
 			kernelLimit := res
-			lm.Kernel = &kernelLimit
+			lm.Kernel = &kernelLimit //nolint:staticcheck // Ignore SA1019: lm.Kernel is deprecated
 		case 4:
 			res, err := strconv.ParseInt(strings.TrimSpace(string(contents)), 10, 64)
 			if err != nil {
@@ -671,6 +671,11 @@ func (cg *CgroupV1) GetPidsData(pid int, cgPath string) (*rspec.LinuxPids, error
 	if err != nil {
 		return nil, err
 	}
+	if strings.TrimSpace(string(contents)) == "max" {
+		res := int64(-1)
+		lp.Limit = &res
+		return lp, nil
+	}
 	res, err := strconv.ParseInt(strings.TrimSpace(string(contents)), 10, 64)
 	if err != nil {
 		if os.IsNotExist(err) {
@@ -679,7 +684,7 @@ func (cg *CgroupV1) GetPidsData(pid int, cgPath string) (*rspec.LinuxPids, error
 
 		return nil, err
 	}
-	lp.Limit = res
+	lp.Limit = &res
 
 	return lp, nil
 }
@@ -16,6 +16,8 @@ import (
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/runtime-tools/generate/seccomp"
 	"github.com/urfave/cli"
+
+	mpolCheck "github.com/opencontainers/runtime-tools/validate/memorypolicy"
 )
 
 var generateFlags = []cli.Flag{
@@ -64,6 +66,9 @@ var generateFlags = []cli.Flag{
 	cli.StringFlag{Name: "linux-mems", Usage: "list of memory nodes in the cpuset (default is to use any available memory node)"},
 	cli.Uint64Flag{Name: "linux-mem-swap", Usage: "total memory limit (memory + swap) (in bytes)"},
 	cli.Uint64Flag{Name: "linux-mem-swappiness", Usage: "how aggressive the kernel will swap memory pages (Range from 0 to 100)"},
+	cli.StringFlag{Name: "linux-memorypolicy-mode", Usage: "memory policy defines from which nodes memory is allocated by default, e.g MPOL_INTERLEAVE"},
+	cli.StringFlag{Name: "linux-memorypolicy-nodes", Usage: "memory nodes related to the linux-memorypolicy-mode, e.g 0-3,7"},
+	cli.StringSliceFlag{Name: "linux-memorypolicy-flags", Usage: "optional memory policy mode flags, e.g MPOL_F_STATIC_NODES"},
 	cli.StringFlag{Name: "linux-mount-label", Usage: "selinux mount context label"},
 	cli.StringSliceFlag{Name: "linux-namespace-add", Usage: "adds a namespace to the set of namespaces to create or join of the form 'ns[:path]'"},
 	cli.StringSliceFlag{Name: "linux-namespace-remove", Usage: "removes a namespace from the set of namespaces to create or join of the form 'ns'"},
@@ -782,6 +787,35 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		g.SetLinuxResourcesMemorySwappiness(context.Uint64("linux-mem-swappiness"))
 	}
 
+	if context.IsSet("linux-memorypolicy-mode") {
+		mpolMode := context.String("linux-memorypolicy-mode")
+		if err := mpolCheck.MpolModeValid(mpolMode); err != nil {
+			return err
+		}
+		g.SetLinuxMemoryPolicyMode(mpolMode)
+	}
+
+	if context.IsSet("linux-memorypolicy-nodes") {
+		g.SetLinuxMemoryPolicyNodes(context.String("linux-memorypolicy-nodes"))
+	}
+
+	if context.IsSet("linux-memorypolicy-flags") {
+		mpolFlags := context.StringSlice("linux-memorypolicy-flags")
+		for _, flag := range mpolFlags {
+			if err := mpolCheck.MpolFlagValid(flag); err != nil {
+				return err
+			}
+		}
+		g.SetLinuxMemoryPolicyFlags(mpolFlags)
+	}
+
+	if g.Config.Linux.MemoryPolicy != nil {
+		// Validating memory policy nodes needs mode as a context.
+		if err := mpolCheck.MpolModeNodesValid(g.Config.Linux.MemoryPolicy.Mode, g.Config.Linux.MemoryPolicy.Nodes); err != nil {
+			return err
+		}
+	}
+
 	if context.IsSet("linux-network-classid") {
 		g.SetLinuxResourcesNetworkClassID(uint32(context.Int("linux-network-classid")))
 	}

@@ -109,6 +109,13 @@ func (g *Generator) initConfigLinuxResourcesMemory() {
 	}
 }
 
+func (g *Generator) initConfigLinuxMemoryPolicy() {
+	g.initConfigLinux()
+	if g.Config.Linux.MemoryPolicy == nil {
+		g.Config.Linux.MemoryPolicy = &rspec.LinuxMemoryPolicy{}
+	}
+}
+
 func (g *Generator) initConfigLinuxResourcesNetwork() {
 	g.initConfigLinuxResources()
 	if g.Config.Linux.Resources.Network == nil {

@@ -26,6 +26,12 @@ var (
 	}
 )
 
+const (
+	// UnlimitedPidsLimit can be passed to SetLinuxResourcesPidsLimit to
+	// request unlimited PIDs.
+	UnlimitedPidsLimit int64 = -1
+)
+
 // Generator represents a generator for a container config.
 type Generator struct {
 	Config       *rspec.Spec
@@ -911,7 +917,7 @@ func (g *Generator) SetLinuxResourcesMemorySwap(swap int64) {
 // SetLinuxResourcesMemoryKernel sets g.Config.Linux.Resources.Memory.Kernel.
 func (g *Generator) SetLinuxResourcesMemoryKernel(kernel int64) {
 	g.initConfigLinuxResourcesMemory()
-	g.Config.Linux.Resources.Memory.Kernel = &kernel
+	g.Config.Linux.Resources.Memory.Kernel = &kernel //nolint:staticcheck // Ignore SA1019: g.Config.Linux.Resources.Memory.Kernel is deprecated
 }
 
 // SetLinuxResourcesMemoryKernelTCP sets g.Config.Linux.Resources.Memory.KernelTCP.
@@ -926,6 +932,26 @@ func (g *Generator) SetLinuxResourcesMemorySwappiness(swappiness uint64) {
 	g.Config.Linux.Resources.Memory.Swappiness = &swappiness
 }
 
+// SetLinuxMemoryPolicyMode sets g.Config.Linux.MemoryPolicy.Mode
+func (g *Generator) SetLinuxMemoryPolicyMode(mode string) {
+	g.initConfigLinuxMemoryPolicy()
+	g.Config.Linux.MemoryPolicy.Mode = rspec.MemoryPolicyModeType(mode)
+}
+
+// SetLinuxMemoryPolicyNodes sets g.Config.Linux.MemoryPolicy.Nodes
+func (g *Generator) SetLinuxMemoryPolicyNodes(nodes string) {
+	g.initConfigLinuxMemoryPolicy()
+	g.Config.Linux.MemoryPolicy.Nodes = nodes
+}
+
+// SetLinuxMemoryPolicyFlags sets g.Config.Linux.MemoryPolicy.Flags
+func (g *Generator) SetLinuxMemoryPolicyFlags(flags []string) {
+	g.initConfigLinuxMemoryPolicy()
+	for _, flag := range flags {
+		g.Config.Linux.MemoryPolicy.Flags = append(g.Config.Linux.MemoryPolicy.Flags, rspec.MemoryPolicyFlagType(flag))
+	}
+}
+
 // SetLinuxResourcesMemoryDisableOOMKiller sets g.Config.Linux.Resources.Memory.DisableOOMKiller.
 func (g *Generator) SetLinuxResourcesMemoryDisableOOMKiller(disable bool) {
 	g.initConfigLinuxResourcesMemory()
@@ -970,7 +996,7 @@ func (g *Generator) DropLinuxResourcesNetworkPriorities(name string) {
 // SetLinuxResourcesPidsLimit sets g.Config.Linux.Resources.Pids.Limit.
 func (g *Generator) SetLinuxResourcesPidsLimit(limit int64) {
 	g.initConfigLinuxResourcesPids()
-	g.Config.Linux.Resources.Pids.Limit = limit
+	g.Config.Linux.Resources.Pids.Limit = &limit
 }
 
 // ClearLinuxSysctl clears g.Config.Linux.Sysctl.
@@ -1060,13 +1086,13 @@ func (g *Generator) ClearPreStartHooks() {
 	if g.Config == nil || g.Config.Hooks == nil {
 		return
 	}
-	g.Config.Hooks.Prestart = []rspec.Hook{}
+	g.Config.Hooks.Prestart = []rspec.Hook{} //nolint:staticcheck // Ignore SA1019: g.Config.Hooks.Prestart is deprecated
 }
 
 // AddPreStartHook add a prestart hook into g.Config.Hooks.Prestart.
 func (g *Generator) AddPreStartHook(preStartHook rspec.Hook) {
 	g.initConfigHooks()
-	g.Config.Hooks.Prestart = append(g.Config.Hooks.Prestart, preStartHook)
+	g.Config.Hooks.Prestart = append(g.Config.Hooks.Prestart, preStartHook) //nolint:staticcheck // Ignore SA1019: g.Config.Hooks.Prestart is deprecated
 }
 
 // ClearPostStopHooks clear g.Config.Hooks.Poststop.

@@ -10,7 +10,7 @@ require (
 	github.com/moby/sys/capability v0.4.0
 	github.com/moby/sys/mountinfo v0.7.2
 	github.com/mrunalp/fileutils v0.5.0
-	github.com/opencontainers/runtime-spec v1.1.0
+	github.com/opencontainers/runtime-spec v1.3.0
 	github.com/opencontainers/selinux v1.9.1
 	github.com/sirupsen/logrus v1.8.1
 	github.com/stretchr/testify v1.3.0

@@ -11,14 +11,14 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b h1:Ga1nclDSe8gOw37MVLMhfu2QKWtD6gvtQ298zsKVh8g=
 github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34fGzaAZGFW22KVZDfyrYW+QABMrWnJBnSs=
-github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
-github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
 github.com/moby/sys/capability v0.4.0 h1:4D4mI6KlNtWMCM1Z/K0i7RV1FkX+DBDHKVJpCndZoHk=
 github.com/moby/sys/capability v0.4.0/go.mod h1:4g9IK291rVkms3LKCDOoYlnV8xKwoDTpIrNEE35Wq0I=
+github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
+github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
 github.com/mrunalp/fileutils v0.5.0 h1:NKzVxiH7eSk+OQ4M+ZYW1K6h27RUV3MI6NUTsHhU6Z4=
 github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
-github.com/opencontainers/runtime-spec v1.1.0 h1:HHUyrt9mwHUjtasSbXSMvs4cyFxh+Bll4AjJ9odEGpg=
-github.com/opencontainers/runtime-spec v1.1.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5diQ8ibYCRkxg=
+github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.9.1 h1:b4VPEF3O5JLZgdTDBmGepaaIbAo0GqoF6EBRq5f/g3Y=
 github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

@@ -0,0 +1,67 @@
+package memorypolicy
+
+import (
+	"fmt"
+	"strings"
+
+	rspec "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+var (
+	knownModes map[rspec.MemoryPolicyModeType]struct{} = map[rspec.MemoryPolicyModeType]struct{}{
+		rspec.MpolDefault:            {},
+		rspec.MpolBind:               {},
+		rspec.MpolInterleave:         {},
+		rspec.MpolWeightedInterleave: {},
+		rspec.MpolPreferred:          {},
+		rspec.MpolPreferredMany:      {},
+		rspec.MpolLocal:              {},
+	}
+
+	knownModeFlags map[rspec.MemoryPolicyFlagType]struct{} = map[rspec.MemoryPolicyFlagType]struct{}{
+		rspec.MpolFNumaBalancing: {},
+		rspec.MpolFRelativeNodes: {},
+		rspec.MpolFStaticNodes:   {},
+	}
+)
+
+// MpolModeValid checks if the provided memory policy mode is valid.
+func MpolModeValid(mode string) error {
+	if !strings.HasPrefix(mode, "MPOL_") {
+		return fmt.Errorf("memory policy mode %q must start with 'MPOL_'", mode)
+	}
+	if _, ok := knownModes[rspec.MemoryPolicyModeType(mode)]; !ok {
+		return fmt.Errorf("invalid memory policy mode %q", mode)
+	}
+	return nil
+}
+
+// MpolModeNodesValid checks if the nodes specification is valid for the given memory policy mode.
+func MpolModeNodesValid(mode rspec.MemoryPolicyModeType, nodes string) error {
+	switch mode {
+	case rspec.MpolDefault, rspec.MpolLocal:
+		if nodes != "" {
+			return fmt.Errorf("memory policy mode %q must not have nodes specified", mode)
+		}
+	case rspec.MpolBind, rspec.MpolInterleave, rspec.MpolWeightedInterleave, rspec.MpolPreferred, rspec.MpolPreferredMany:
+		if nodes == "" {
+			return fmt.Errorf("memory policy mode %q must have nodes specified", mode)
+		}
+	case "":
+		return fmt.Errorf("memory policy mode must be specified")
+	default:
+		return fmt.Errorf("unknown memory policy mode %q ", mode)
+	}
+	return nil
+}
+
+// MpolFlagValid checks if the provided memory policy flag is valid.
+func MpolFlagValid(flag string) error {
+	if !strings.HasPrefix(flag, "MPOL_F_") {
+		return fmt.Errorf("memory policy flag %q must start with 'MPOL_F_'", flag)
+	}
+	if _, ok := knownModeFlags[rspec.MemoryPolicyFlagType(flag)]; !ok {
+		return fmt.Errorf("invalid memory policy flag %q", flag)
+	}
+	return nil
+}
@@ -275,7 +275,7 @@ func (v *Validator) CheckHooks() (errs error) {
 	}
 
 	if v.spec.Hooks != nil {
-		errs = multierror.Append(errs, v.checkEventHooks("prestart", v.spec.Hooks.Prestart, v.HostSpecific))
+		errs = multierror.Append(errs, v.checkEventHooks("prestart", v.spec.Hooks.Prestart, v.HostSpecific)) //nolint:staticcheck // Ignore SA1019: v.Spec.Hooks.Prestart is deprecated
 		errs = multierror.Append(errs, v.checkEventHooks("poststart", v.spec.Hooks.Poststart, v.HostSpecific))
 		errs = multierror.Append(errs, v.checkEventHooks("poststop", v.spec.Hooks.Poststop, v.HostSpecific))
 	}

@@ -14,6 +14,7 @@ import (
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	osFilepath "github.com/opencontainers/runtime-tools/filepath"
 	"github.com/opencontainers/runtime-tools/specerror"
+	mpolCheck "github.com/opencontainers/runtime-tools/validate/memorypolicy"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
 )
@@ -220,5 +221,18 @@ func (v *Validator) CheckLinux() (errs error) {
 		}
 	}
 
+	if v.spec.Linux.MemoryPolicy != nil {
+		if err := mpolCheck.MpolModeValid(string(v.spec.Linux.MemoryPolicy.Mode)); err != nil {
+			errs = multierror.Append(errs, err)
+		} else if err := mpolCheck.MpolModeNodesValid(v.spec.Linux.MemoryPolicy.Mode, v.spec.Linux.MemoryPolicy.Nodes); err != nil {
+			errs = multierror.Append(errs, err)
+		}
+		for _, flag := range v.spec.Linux.MemoryPolicy.Flags {
+			if err := mpolCheck.MpolFlagValid(string(flag)); err != nil {
+				errs = multierror.Append(errs, err)
+			}
+		}
+	}
+
 	return
 }
@@ -31,11 +31,11 @@ func ValidateLinuxResourcesMemory(config *rspec.Spec, t *tap.T, state *rspec.Sta
 	t.Ok(*lm.Swap == *config.Linux.Resources.Memory.Swap, "memory swap is set correctly")
 	t.Diagnosticf("expect: %d, actual: %d", *config.Linux.Resources.Memory.Swap, *lm.Reservation)
 
-	t.Ok(*lm.Kernel == *config.Linux.Resources.Memory.Kernel, "memory kernel is set correctly")
-	t.Diagnosticf("expect: %d, actual: %d", *config.Linux.Resources.Memory.Kernel, *lm.Kernel)
+	t.Ok(*lm.Kernel == *config.Linux.Resources.Memory.Kernel, "memory kernel is set correctly") //nolint:staticcheck // Ignore SA1019: lm.Kernel is deprecated
+	t.Diagnosticf("expect: %d, actual: %d", *config.Linux.Resources.Memory.Kernel, *lm.Kernel)  //nolint:staticcheck // Ignore SA1019: config.Linux.Resources.Memory.Kernel is deprecated
 
 	t.Ok(*lm.KernelTCP == *config.Linux.Resources.Memory.KernelTCP, "memory kernelTCP is set correctly")
-	t.Diagnosticf("expect: %d, actual: %d", *config.Linux.Resources.Memory.KernelTCP, *lm.Kernel)
+	t.Diagnosticf("expect: %d, actual: %d", *config.Linux.Resources.Memory.KernelTCP, *lm.Kernel) //nolint:staticcheck // Ignore SA1019: lm.Kernel is deprecated
 
 	t.Ok(*lm.Swappiness == *config.Linux.Resources.Memory.Swappiness, "memory swappiness is set correctly")
 	t.Diagnosticf("expect: %d, actual: %d", *config.Linux.Resources.Memory.Swappiness, *lm.Swappiness)