From be0d06555488fa8310ca65f38ace1f07df503a70 Mon Sep 17 00:00:00 2001
From: Sankalp <sankalp25103@gmail.com>
Date: Sat, 13 Dec 2025 07:38:49 +0000
Subject: [PATCH] feat(config): pass rlimits to urunit via UCS

This extracts the rlimits from the OCI spec in the unikontainer
logic and appends them to the UCS configuration block generated
in linux.go. This allows the guest init process (urunit) to
enforce resource limits.

Signed-off-by: Sankalp <sankalp25103@gmail.com>
---
 .github/linters/urunc-dict.txt        |  1 +
 pkg/unikontainers/types/types.go      |  7 +++++++
 pkg/unikontainers/unikernels/linux.go |  9 +++++++++
 pkg/unikontainers/unikontainers.go    | 10 ++++++++++
 4 files changed, 27 insertions(+)

diff --git a/.github/linters/urunc-dict.txt b/.github/linters/urunc-dict.txt
index 40ab757f..0ddde611 100644
--- a/.github/linters/urunc-dict.txt
+++ b/.github/linters/urunc-dict.txt
@@ -375,6 +375,7 @@ derr
 ldconfig
 vfsd
 crun
+Rlimits
 vaccel
 VACCEL
 vsock
diff --git a/pkg/unikontainers/types/types.go b/pkg/unikontainers/types/types.go
index 85b1b49c..0fbd45a3 100644
--- a/pkg/unikontainers/types/types.go
+++ b/pkg/unikontainers/types/types.go
@@ -60,11 +60,18 @@ type RootfsParams struct {
 	MonRootfs   string // The rootfs for the monitor process
 }
 
+type Rlimit struct {
+	Type string
+	Hard uint64
+	Soft uint64
+}
+
 // Specific to Linux
 type ProcessConfig struct {
 	UID     uint32 // The uid of the process inside the guest
 	GID     uint32 // The gid of the process inside the guest
 	WorkDir string // The workdir of the process inside the guest
+	Rlimits []Rlimit
 }
 
 // UnikernelParams holds the data required to build the unikernels commandline
diff --git a/pkg/unikontainers/unikernels/linux.go b/pkg/unikontainers/unikernels/linux.go
index 18222eec..252bb05c 100644
--- a/pkg/unikontainers/unikernels/linux.go
+++ b/pkg/unikontainers/unikernels/linux.go
@@ -314,6 +314,15 @@ func (l *Linux) buildUrunitConfig() string {
 	sb.WriteString("WD:")
 	sb.WriteString(l.ProcConfig.WorkDir)
 	sb.WriteString("\n")
+	for _, limit := range l.ProcConfig.Rlimits {
+		sb.WriteString("RLIMIT:")
+		sb.WriteString(limit.Type)
+		sb.WriteString(":")
+		sb.WriteString(strconv.FormatUint(limit.Hard, 10))
+		sb.WriteString(":")
+		sb.WriteString(strconv.FormatUint(limit.Soft, 10))
+		sb.WriteString("\n")
+	}
 	sb.WriteString(lpcEndMarker)
 	sb.WriteString("\n")
 	sb.WriteString(blkStartMarker)
diff --git a/pkg/unikontainers/unikontainers.go b/pkg/unikontainers/unikontainers.go
index 7d4136b8..1d46a317 100644
--- a/pkg/unikontainers/unikontainers.go
+++ b/pkg/unikontainers/unikontainers.go
@@ -280,6 +280,16 @@ func (u *Unikontainer) Exec(metrics m.Writer) error {
 		GID:     u.Spec.Process.User.GID,
 		WorkDir: u.Spec.Process.Cwd,
 	}
+
+	if u.Spec.Process.Rlimits != nil {
+		for _, rl := range u.Spec.Process.Rlimits {
+			procAttrs.Rlimits = append(procAttrs.Rlimits, types.Rlimit{
+				Type: rl.Type,
+				Hard: rl.Hard,
+				Soft: rl.Soft,
+			})
+		}
+	}
 	// UnikernelParams
 	// populate unikernel params
 	unikernelParams := types.UnikernelParams{