linux: clarify pids cgroup settings

While the original wording did not provide any justification for this,
some runtimes have incorrectly treated a pids.limit value of 0 as being
equivalent to "max" or otherwise handle it suboptimally.

So, add some clarifying wording that the correct representation of max
is -1 (like every other cgroup configuration) and that users should not
treat 0 as a special value of any kind.

Note that a pids.limit value of 0 is actually different to 1 now that
CLONE_INTO_CGROUP exists (at the time pids was added to the kernel and
the spec, this feature didn't exist and so it may have seemed redundant
to have two equivalent values).

For the Go API, this is effectively a partial revert of commit
ef9ce84 ("specs-go/config: fix required items type") which turned
the limit value into a bare int64.

Fixes: ef9ce84 ("specs-go/config: fix required items type")
Fixes: 2ce2c86 ("runtime: config: linux: add cgroups information")
Signed-off-by: Aleksa Sarai <[email protected]>

Author: cyphar

config-linux.md

@@ -666,7 +666,9 @@ For more information, see the kernel cgroups documentation about [pids][cgroup-v
 
 The following parameters can be specified to set up the controller:
 
-* **`limit`** *(int64, REQUIRED)* - specifies the maximum number of tasks in the cgroup
+* **`limit`** *(int64, OPTIONAL)* - specifies the maximum number of tasks in the cgroup, with `-1` indicating no limit (`max`).
+
+> Note: Even though it may superficially seem redundant, `0` is a valid limit value for the `pids` cgroup controller from the kernel's perspective and SHOULD be treated as such by runtimes.
 
 #### Example
 

specs-go/config.go

@@ -434,7 +434,7 @@ type LinuxCPU struct {
 // LinuxPids for Linux cgroup 'pids' resource management (Linux 4.3)
 type LinuxPids struct {
 	// Maximum number of PIDs. Default is "no limit".
-	Limit int64 `json:"limit"`
+	Limit *int64 `json:"limit,omitempty"`
 }
 
 // LinuxNetwork identification and priority configuration