From 9524bab228048ba764d9867923878b6c334fbdff Mon Sep 17 00:00:00 2001
From: Harsh Rawat <harshrawat@microsoft.com>
Date: Fri, 9 Jan 2026 02:36:59 +0530
Subject: [PATCH] Enforce cgroup limits at pod level

Signed-off-by: Harsh Rawat <harshrawat@microsoft.com>
---
 internal/guest/runtime/hcsv2/uvm.go | 36 ++++++-----------------------
 internal/hcsoci/hcsdoc_lcow.go      | 13 +++++++++++
 2 files changed, 20 insertions(+), 29 deletions(-)

diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go
index 4436c73c4f..6637af0a44 100644
--- a/internal/guest/runtime/hcsv2/uvm.go
+++ b/internal/guest/runtime/hcsv2/uvm.go
@@ -303,26 +303,7 @@ func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VM
 					networkNamespace = fmt.Sprintf("virtual-pod-%s", virtualPodID)
 				}
 
-				// Extract memory limit from sandbox container spec
-				var memoryLimit *int64
-				if settings.OCISpecification.Linux != nil &&
-					settings.OCISpecification.Linux.Resources != nil &&
-					settings.OCISpecification.Linux.Resources.Memory != nil &&
-					settings.OCISpecification.Linux.Resources.Memory.Limit != nil {
-					memoryLimit = settings.OCISpecification.Linux.Resources.Memory.Limit
-					logrus.WithFields(logrus.Fields{
-						"containerID":  id,
-						"virtualPodID": virtualPodID,
-						"memoryLimit":  *memoryLimit,
-					}).Info("Extracted memory limit from sandbox container spec")
-				} else {
-					logrus.WithFields(logrus.Fields{
-						"containerID":  id,
-						"virtualPodID": virtualPodID,
-					}).Info("No memory limit found in sandbox container spec")
-				}
-
-				if err := h.CreateVirtualPod(ctx, virtualPodID, virtualPodID, networkNamespace, memoryLimit); err != nil {
+				if err := h.CreateVirtualPod(ctx, virtualPodID, virtualPodID, networkNamespace, settings.OCISpecification); err != nil {
 					return nil, errors.Wrapf(err, "failed to create virtual pod %s", virtualPodID)
 				}
 			}
@@ -1305,7 +1286,7 @@ func (h *Host) InitializeVirtualPodSupport(virtualPodsCgroup cgroups.Cgroup) {
 }
 
 // CreateVirtualPod creates a new virtual pod with its own cgroup and network namespace
-func (h *Host) CreateVirtualPod(ctx context.Context, virtualSandboxID, masterSandboxID, networkNamespace string, memoryLimit *int64) error {
+func (h *Host) CreateVirtualPod(ctx context.Context, virtualSandboxID, masterSandboxID, networkNamespace string, pSpec *specs.Spec) error {
 	h.virtualPodsMutex.Lock()
 	defer h.virtualPodsMutex.Unlock()
 
@@ -1327,18 +1308,15 @@ func (h *Host) CreateVirtualPod(ctx context.Context, virtualSandboxID, masterSan
 	}
 	cgroupPath := path.Join(parentPath, virtualSandboxID)
 
-	// Create the cgroup for this virtual pod with memory limit if provided
+	// Create the cgroup for this virtual pod with resource limits if provided
 	resources := &specs.LinuxResources{}
-	if memoryLimit != nil {
-		resources.Memory = &specs.LinuxMemory{
-			Limit: memoryLimit,
-		}
+	if pSpec != nil && pSpec.Linux != nil && pSpec.Linux.Resources != nil {
+		resources = pSpec.Linux.Resources
 		logrus.WithFields(logrus.Fields{
 			"virtualSandboxID": virtualSandboxID,
-			"memoryLimit":      *memoryLimit,
-		}).Info("Creating virtual pod with memory limit")
+		}).Info("Creating virtual pod with specified resources")
 	} else {
-		logrus.WithField("virtualSandboxID", virtualSandboxID).Info("Creating virtual pod without memory limit")
+		logrus.WithField("virtualSandboxID", virtualSandboxID).Info("Creating pod cgroup with default resources as none were specified")
 	}
 
 	cgroupControl, err := cgroups.New(cgroups.StaticPath(cgroupPath), resources)
diff --git a/internal/hcsoci/hcsdoc_lcow.go b/internal/hcsoci/hcsdoc_lcow.go
index db94d73df0..dfd2f1def5 100644
--- a/internal/hcsoci/hcsdoc_lcow.go
+++ b/internal/hcsoci/hcsdoc_lcow.go
@@ -38,6 +38,19 @@ func createLCOWSpec(ctx context.Context, coi *createOptionsInternal) (*specs.Spe
 	// Hooks are not supported (they should be run in the host)
 	spec.Hooks = nil
 
+	// Set default CPU period and quota if not set for LCOW containers.
+	if spec.Linux != nil &&
+		spec.Linux.Resources != nil &&
+		spec.Linux.Resources.CPU != nil {
+
+		if spec.Linux.Resources.CPU.Period != nil && *spec.Linux.Resources.CPU.Period == 0 {
+			*spec.Linux.Resources.CPU.Period = 100000 // Default CPU period
+		}
+		if spec.Linux.Resources.CPU.Quota != nil && *spec.Linux.Resources.CPU.Quota == 0 {
+			*spec.Linux.Resources.CPU.Quota = -1 // No CPU limit
+		}
+	}
+
 	// Clear unsupported features
 	spec.Linux.CgroupsPath = "" // GCS controls its cgroups hierarchy on its own.
 	if spec.Linux.Resources != nil {