diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2020-05-08 13:51:36 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-05-08 13:51:36 +0200 |
| commit | 6b5be634b99706737feae10625ac4513fc1c4917 (patch) | |
| tree | 5ead7c332b55507741e755ba12727077fac4ff3d | |
| parent | 4e8d074eb1af0b777f1d22c27f1a0c9de2ef7862 (diff) | |
| parent | 6daf26fe580a239201010318a2f4b72b5460393b (diff) | |
| download | podman-6b5be634b99706737feae10625ac4513fc1c4917.tar.gz podman-6b5be634b99706737feae10625ac4513fc1c4917.tar.bz2 podman-6b5be634b99706737feae10625ac4513fc1c4917.zip | |
Merge pull request #6095 from rhatdan/old
Set up ulimits for rootless containers.
| -rw-r--r-- | pkg/spec/config_linux.go | 25 | ||||
| -rw-r--r-- | pkg/spec/config_unsupported.go | 8 | ||||
| -rw-r--r-- | pkg/spec/spec.go | 21 |
3 files changed, 45 insertions, 9 deletions
diff --git a/pkg/spec/config_linux.go b/pkg/spec/config_linux.go index 544c0020d..779f41588 100644 --- a/pkg/spec/config_linux.go +++ b/pkg/spec/config_linux.go @@ -16,6 +16,7 @@ import ( spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/pkg/errors" + "github.com/sirupsen/logrus" "golang.org/x/sys/unix" ) @@ -366,3 +367,27 @@ func GetStatFromPath(path string) (unix.Stat_t, error) { err := unix.Stat(path, &s) return s, err } + +func getNOFILESettings() (uint64, uint64) { + if rootless.IsRootless() { + var rlimit unix.Rlimit + if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err == nil { + return rlimit.Cur, rlimit.Max + } else { + logrus.Warnf("failed to return RLIMIT_NOFILE ulimit %q", err) + } + } + return kernelMax, kernelMax +} + +func getNPROCSettings() (uint64, uint64) { + if rootless.IsRootless() { + var rlimit unix.Rlimit + if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err == nil { + return rlimit.Cur, rlimit.Max + } else { + logrus.Warnf("failed to return RLIMIT_NPROC ulimit %q", err) + } + } + return kernelMax, kernelMax +} diff --git a/pkg/spec/config_unsupported.go b/pkg/spec/config_unsupported.go index 568afde55..402193456 100644 --- a/pkg/spec/config_unsupported.go +++ b/pkg/spec/config_unsupported.go @@ -34,3 +34,11 @@ func DevicesFromPath(g *generate.Generator, devicePath string) error { func deviceCgroupRules(g *generate.Generator, deviceCgroupRules []string) error { return errors.New("function not implemented") } + +func getNOFILESettings() (uint64, uint64) { + return kernelMax, kernelMax +} + +func getNPROCSettings() (uint64, uint64) { + return kernelMax, kernelMax +} diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index c9a068578..eaa42e10d 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -18,7 +18,10 @@ import ( "github.com/pkg/errors" ) -const CpuPeriod = 100000 +const ( + CpuPeriod = 100000 + kernelMax uint64 = 1048576 +) func GetAvailableGids() (int64, error) { idMap, err := user.ParseIDMapFile("/proc/self/gid_map") @@ -502,10 +505,8 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, g *generate. func addRlimits(config *CreateConfig, g *generate.Generator) error { var ( - kernelMax uint64 = 1048576 - isRootless = rootless.IsRootless() - nofileSet = false - nprocSet = false + nofileSet = false + nprocSet = false ) for _, u := range config.Resources.Ulimit { @@ -534,11 +535,13 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error { // If not explicitly overridden by the user, default number of open // files and number of processes to the maximum they can be set to // (without overriding a sysctl) - if !nofileSet && !isRootless { - g.AddProcessRlimits("RLIMIT_NOFILE", kernelMax, kernelMax) + if !nofileSet { + current, max := getNOFILESettings() + g.AddProcessRlimits("RLIMIT_NOFILE", current, max) } - if !nprocSet && !isRootless { - g.AddProcessRlimits("RLIMIT_NPROC", kernelMax, kernelMax) + if !nprocSet { + current, max := getNPROCSettings() + g.AddProcessRlimits("RLIMIT_NPROC", current, max) } return nil |