container: set scheduling policy

This is thread-directed so cannot be done externally. The glibc wrapper exposes this behaviour so most multithreaded programs using this is straight up incorrect. Signed-off-by: Ophestra <cat@gensokyo.uk>
2026-02-26 16:29:47 +09:00
parent 826347fe1f
commit a6160cd410
2 changed files with 65 additions and 0 deletions
--- a/container/container.go
+++ b/container/container.go
@@ -37,6 +37,9 @@ type (
 	Container struct {
 		// Whether the container init should stay alive after its parent terminates.
 		AllowOrphan bool
+		// Scheduling policy to set via sched_setscheduler(2). The zero value
+		// skips this call. Supported policies are [SCHED_BATCH], [SCHED_IDLE].
+		SchedPolicy int
 		// Cgroup fd, nil to disable.
 		Cgroup *int
 		// ExtraFiles passed through to initial process in the container,
@@ -342,6 +345,23 @@ func (p *Container) Start() error {
 			landlockOut:
 			}

+			// sched_setscheduler: thread-directed but acts on all processes
+			// created from that thread
+			if p.SchedPolicy > 0 {
+				p.msg.Verbosef("setting scheduling policy %d", p.SchedPolicy)
+				if err := schedSetscheduler(
+					0, // calling thread
+					p.SchedPolicy,
+					&schedParam{0},
+				); err != nil {
+					return &StartError{
+						Fatal: true,
+						Step:  "enforce landlock ruleset",
+						Err:   err,
+					}
+				}
+			}
+
 			p.msg.Verbose("starting container init")
 			if err := p.cmd.Start(); err != nil {
 				return &StartError{false, "start container init", err, false, true}