CPU limit in play kube doesn't work

[tyler92]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Limitation of CPU consumption doesn't work if it's used in play kube yaml.

Steps to reproduce the issue:

1. Create to following yaml:

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: my-pod
  name: my-pod
spec:
  containers:
  - name: app
    image: debian
    command:
    - /bin/bash
    args:
    - "-c"
    - "while true; do echo 123 > /dev/null; done" 
    resources:
      limits:
        cpu: 300m # 30% of one core

2. Launch podman play kube with this yaml.

3. Observe CPU load for container.

Describe the results you received:

CPU load is about 100%.

Describe the results you expected:

CPU load is about 30%.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Client:       Podman Engine
Version:      4.3.0-dev
API Version:  4.3.0-dev
Go Version:   go1.17.8
Built:        Thu Jan  1 00:00:00 1970
OS/Arch:      linux/arm

Output of podman info:

host:
  arch: arm
  buildahVersion: 1.27.0
  cgroupControllers:
  - cpuset
  - cpu
  - cpuacct
  - blkio
  - memory
  - devices
  - freezer
  - net_cls
  - perf_event
  - net_prio
  - pids
  cgroupManager: systemd
  cgroupVersion: v1
  conmon:
    package: Unknown
    path: /usr/bin/conmon
    version: 'conmon version 2.0.29, commit: unknown'
  cpuUtilization:
    idlePercent: 87.12
    systemPercent: 10.63
    userPercent: 2.24
  cpus: 4
  distribution:
    distribution: buildroot
    version: "2022.02"
  eventLogger: journald
  hostname: comm99-dev
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 4.14.98
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 180031488
  memTotal: 511803392
  networkBackend: cni
  ociRuntime:
    name: crun
    package: Unknown
    path: /usr/bin/crun
    version: |-
      crun version 1.4.3
      commit: 61c9600d1335127eba65632731e2d72bc3f0b9e8
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: ""
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 0h 17m 39.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 6
    paused: 0
    running: 0
    stopped: 6
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev
  graphRoot: /opt/containers/storage
  graphRootAllocated: 29639618560
  graphRootUsed: 3874271232
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 35
  runRoot: /run/containers/storage
  volumePath: /opt/containers/storage/volumes
version:
  APIVersion: 4.3.0-dev
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.17.8
  Os: linux
  OsArch: linux/arm
  Version: 4.3.0-dev

Package info (e.g. output of rpm -q podman or apt list podman):

manual build

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

Yes

[tyler92]

This feature works well with v3.4.7. SA #11803

[giuseppe]

thanks for the report, I might have messed things up with #11803. Would you mind testing the current patch?

diff --git a/libpod/kube.go b/libpod/kube.go
index 1f4831006..b3ba5d405 100644
--- a/libpod/kube.go
+++ b/libpod/kube.go
@@ -720,7 +720,7 @@ func containerToV1Container(ctx context.Context, c *Container) (v1.Container, []
 			period := *c.config.Spec.Linux.Resources.CPU.Period
 
 			if quota > 0 && period > 0 {
-				cpuLimitMilli := int64(1000 * util.PeriodAndQuotaToCores(period, quota))
+				cpuLimitMilli := 1000 * int64(util.PeriodAndQuotaToCores(period, quota))
 
 				// Kubernetes: precision finer than 1m is not allowed
 				if cpuLimitMilli >= 1 {
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index 9fd0adecf..904467527 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -212,7 +212,7 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 		return nil, fmt.Errorf("failed to set CPU quota: %w", err)
 	}
 	if milliCPU > 0 {
-		period, quota := util.CoresToPeriodAndQuota(float64(milliCPU))
+		period, quota := util.CoresToPeriodAndQuota(float64(milliCPU) / 1000)
 		s.ResourceLimits.CPU = &spec.LinuxCPU{
 			Quota:  &quota,
 			Period: &period,

[tyler92]

Opened PR with fix #15728 (changes like yours, but a little slightly different).