diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2020-07-17 13:58:22 +0200 |
---|---|---|
committer | Matthew Heon <matthew.heon@pm.me> | 2020-07-22 14:05:20 -0400 |
commit | e21a6368f9308292641ed5ce58321b1cd46abdc9 (patch) | |
tree | 3965dc2cfc5cea33cb04b10cf528f7570f3b38f5 | |
parent | 92186cbd28df57bda027c90eb3715c8a636c1037 (diff) | |
download | podman-e21a6368f9308292641ed5ce58321b1cd46abdc9.tar.gz podman-e21a6368f9308292641ed5ce58321b1cd46abdc9.tar.bz2 podman-e21a6368f9308292641ed5ce58321b1cd46abdc9.zip |
abi: set default umask and rlimits
the code got lost in the migration to podman 2.0, reintroduce it.
Closes: https://github.com/containers/podman/issues/6989
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
<MH: Fixed build>
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
-rw-r--r-- | cmd/podman/early_init_linux.go | 39 | ||||
-rw-r--r-- | cmd/podman/early_init_unsupported.go | 6 | ||||
-rw-r--r-- | cmd/podman/root.go | 1 | ||||
-rw-r--r-- | libpod/define/config.go | 10 | ||||
-rw-r--r-- | pkg/domain/infra/abi/system.go | 22 | ||||
-rw-r--r-- | pkg/spec/spec.go | 15 | ||||
-rw-r--r-- | pkg/specgen/generate/oci.go | 15 |
7 files changed, 70 insertions, 38 deletions
diff --git a/cmd/podman/early_init_linux.go b/cmd/podman/early_init_linux.go new file mode 100644 index 000000000..b43450a7f --- /dev/null +++ b/cmd/podman/early_init_linux.go @@ -0,0 +1,39 @@ +package main + +import ( + "fmt" + "os" + "syscall" + + "github.com/containers/libpod/v2/libpod/define" + "github.com/pkg/errors" +) + +func setRLimits() error { + rlimits := new(syscall.Rlimit) + rlimits.Cur = define.RLimitDefaultValue + rlimits.Max = define.RLimitDefaultValue + if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil { + if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil { + return errors.Wrapf(err, "error getting rlimits") + } + rlimits.Cur = rlimits.Max + if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil { + return errors.Wrapf(err, "error setting new rlimits") + } + } + return nil +} + +func setUMask() { + // Be sure we can create directories with 0755 mode. + syscall.Umask(0022) +} + +func earlyInitHook() { + if err := setRLimits(); err != nil { + fmt.Fprint(os.Stderr, "Failed to set rlimits: "+err.Error()) + } + + setUMask() +} diff --git a/cmd/podman/early_init_unsupported.go b/cmd/podman/early_init_unsupported.go new file mode 100644 index 000000000..4e748559f --- /dev/null +++ b/cmd/podman/early_init_unsupported.go @@ -0,0 +1,6 @@ +// +build !linux + +package main + +func earlyInitHook() { +} diff --git a/cmd/podman/root.go b/cmd/podman/root.go index 7c54da91a..b2c9f9c2c 100644 --- a/cmd/podman/root.go +++ b/cmd/podman/root.go @@ -77,6 +77,7 @@ func init() { cobra.OnInitialize( loggingHook, syslogHook, + earlyInitHook, ) rootFlags(rootCmd, registry.PodmanConfig()) diff --git a/libpod/define/config.go b/libpod/define/config.go index 900a363d8..64b24d9e2 100644 --- a/libpod/define/config.go +++ b/libpod/define/config.go @@ -75,3 +75,13 @@ const JSONLogging = "json-file" // NoLogging is the string conmon expects when specifying to use no log driver whatsoever const NoLogging = "none" + +// Strings used for --sdnotify option to podman +const ( + SdNotifyModeContainer = "container" + SdNotifyModeConmon = "conmon" + SdNotifyModeIgnore = "ignore" +) + +// DefaultRlimitValue is the value set by default for nofile and nproc +const RLimitDefaultValue = uint64(1048576) diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go index be14f52b8..435902ded 100644 --- a/pkg/domain/infra/abi/system.go +++ b/pkg/domain/infra/abi/system.go @@ -8,7 +8,6 @@ import ( "os/exec" "path/filepath" "strconv" - "syscall" "github.com/containers/common/pkg/config" "github.com/containers/libpod/v2/libpod/define" @@ -146,27 +145,6 @@ func movePauseProcessToScope() error { return utils.RunUnderSystemdScope(int(pid), "user.slice", "podman-pause.scope") } -func setRLimits() error { // nolint:deadcode,unused - rlimits := new(syscall.Rlimit) - rlimits.Cur = 1048576 - rlimits.Max = 1048576 - if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil { - if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil { - return errors.Wrapf(err, "error getting rlimits") - } - rlimits.Cur = rlimits.Max - if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil { - return errors.Wrapf(err, "error setting new rlimits") - } - } - return nil -} - -func setUMask() { // nolint:deadcode,unused - // Be sure we can create directories with 0755 mode. - syscall.Umask(0022) -} - // checkInput can be used to verify any of the globalopt values func checkInput() error { // nolint:deadcode,unused return nil diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 6f52b88b1..b974772d5 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -505,10 +505,9 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, g *generate. func addRlimits(config *CreateConfig, g *generate.Generator) error { var ( - kernelMax uint64 = 1048576 - isRootless = rootless.IsRootless() - nofileSet = false - nprocSet = false + isRootless = rootless.IsRootless() + nofileSet = false + nprocSet = false ) for _, u := range config.Resources.Ulimit { @@ -538,8 +537,8 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error { // files and number of processes to the maximum they can be set to // (without overriding a sysctl) if !nofileSet { - max := kernelMax - current := kernelMax + max := define.RLimitDefaultValue + current := define.RLimitDefaultValue if isRootless { var rlimit unix.Rlimit if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil { @@ -555,8 +554,8 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error { g.AddProcessRlimits("RLIMIT_NOFILE", max, current) } if !nprocSet { - max := kernelMax - current := kernelMax + max := define.RLimitDefaultValue + current := define.RLimitDefaultValue if isRootless { var rlimit unix.Rlimit if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil { diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index f770b0582..b62e851b3 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -20,10 +20,9 @@ import ( func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error { var ( - kernelMax uint64 = 1048576 - isRootless = rootless.IsRootless() - nofileSet = false - nprocSet = false + isRootless = rootless.IsRootless() + nofileSet = false + nprocSet = false ) if s.Rlimits == nil { @@ -45,8 +44,8 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error { // files and number of processes to the maximum they can be set to // (without overriding a sysctl) if !nofileSet { - max := kernelMax - current := kernelMax + max := define.RLimitDefaultValue + current := define.RLimitDefaultValue if isRootless { var rlimit unix.Rlimit if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil { @@ -62,8 +61,8 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error { g.AddProcessRlimits("RLIMIT_NOFILE", max, current) } if !nprocSet { - max := kernelMax - current := kernelMax + max := define.RLimitDefaultValue + current := define.RLimitDefaultValue if isRootless { var rlimit unix.Rlimit if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil { |