From b5bc754bad1a8c7587ffd60cd93267c39c5d7c73 Mon Sep 17 00:00:00 2001
From: David Scott <dave@recoil.org>
Date: Mon, 27 Sep 2021 17:10:00 +0100
Subject: [PATCH 1/2] docker-container: support --driver-opt cgroup-parent=...

This allows the parent cgroup to be customised, which allows resource
limits to be imposed on build containers separately from "user"
containers.

Signed-off-by: David Scott <dave@recoil.org>
---
 docs/reference/buildx_create.md    |  1 +
 driver/docker-container/driver.go  | 14 ++++++++++----
 driver/docker-container/factory.go |  2 ++
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/docs/reference/buildx_create.md b/docs/reference/buildx_create.md
index fc29910d..ae8841ac 100644
--- a/docs/reference/buildx_create.md
+++ b/docs/reference/buildx_create.md
@@ -130,6 +130,7 @@ Passes additional driver-specific options. Details for each driver:
 - `docker-container`
     - `image=IMAGE` - Sets the container image to be used for running buildkit.
     - `network=NETMODE` - Sets the network mode for running the buildkit container.
+    - `cgroup-parent=CGROUP` - Sets the cgroup parent of the buildkit container if docker is using the "cgroupfs" driver.
     - Example:
 
       ```console
diff --git a/driver/docker-container/driver.go b/driver/docker-container/driver.go
index 6274bb0e..5bcc219c 100644
--- a/driver/docker-container/driver.go
+++ b/driver/docker-container/driver.go
@@ -38,10 +38,11 @@ const (
 
 type Driver struct {
 	driver.InitConfig
-	factory driver.Factory
-	netMode string
-	image   string
-	env     []string
+	factory      driver.Factory
+	netMode      string
+	image        string
+	cgroupParent string
+	env          []string
 }
 
 func (d *Driver) IsMobyDriver() bool {
@@ -125,6 +126,11 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 		if d.netMode != "" {
 			hc.NetworkMode = container.NetworkMode(d.netMode)
 		}
+		if info, err := d.DockerAPI.Info(ctx); err == nil && info.CgroupDriver == "cgroupfs" {
+			if d.cgroupParent != "" {
+				hc.CgroupParent = d.cgroupParent
+			}
+		}
 		_, err := d.DockerAPI.ContainerCreate(ctx, cfg, hc, &network.NetworkingConfig{}, nil, d.Name)
 		if err != nil {
 			return err
diff --git a/driver/docker-container/factory.go b/driver/docker-container/factory.go
index f1f65250..ae4d39b9 100644
--- a/driver/docker-container/factory.go
+++ b/driver/docker-container/factory.go
@@ -49,6 +49,8 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 			}
 		case k == "image":
 			d.image = v
+		case k == "cgroup-parent":
+			d.cgroupParent = v
 		case strings.HasPrefix(k, "env."):
 			envName := strings.TrimPrefix(k, "env.")
 			if envName == "" {

From d5908cdddf76bda778b2d9f00cec84936adeabfa Mon Sep 17 00:00:00 2001
From: David Scott <dave@recoil.org>
Date: Mon, 27 Sep 2021 19:17:04 +0100
Subject: [PATCH 2/2] docker-container: use /docker/buildx cgroup by default

This allows resource limits to be applied to all builds on a host.
For example to limit the total amount of CPU used by builds:

https://medium.com/@asishrs/docker-limit-resource-utilization-using-cgroup-parent-72a646651f9d

Signed-off-by: David Scott <dave@recoil.org>
---
 docs/reference/buildx_create.md   | 2 +-
 driver/docker-container/driver.go | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/reference/buildx_create.md b/docs/reference/buildx_create.md
index ae8841ac..7f96812d 100644
--- a/docs/reference/buildx_create.md
+++ b/docs/reference/buildx_create.md
@@ -130,7 +130,7 @@ Passes additional driver-specific options. Details for each driver:
 - `docker-container`
     - `image=IMAGE` - Sets the container image to be used for running buildkit.
     - `network=NETMODE` - Sets the network mode for running the buildkit container.
-    - `cgroup-parent=CGROUP` - Sets the cgroup parent of the buildkit container if docker is using the "cgroupfs" driver.
+    - `cgroup-parent=CGROUP` - Sets the cgroup parent of the buildkit container if docker is using the "cgroupfs" driver. Defaults to `/docker/buildx`.
     - Example:
 
       ```console
diff --git a/driver/docker-container/driver.go b/driver/docker-container/driver.go
index 5bcc219c..eec5d482 100644
--- a/driver/docker-container/driver.go
+++ b/driver/docker-container/driver.go
@@ -127,6 +127,9 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 			hc.NetworkMode = container.NetworkMode(d.netMode)
 		}
 		if info, err := d.DockerAPI.Info(ctx); err == nil && info.CgroupDriver == "cgroupfs" {
+			// Place all buildkit containers inside this cgroup by default so limits can be attached
+			// to all build activity on the host.
+			hc.CgroupParent = "/docker/buildx"
 			if d.cgroupParent != "" {
 				hc.CgroupParent = d.cgroupParent
 			}