summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2020-07-17 13:58:22 +0200
committerMatthew Heon <matthew.heon@pm.me>2020-07-22 14:05:20 -0400
commite21a6368f9308292641ed5ce58321b1cd46abdc9 (patch)
tree3965dc2cfc5cea33cb04b10cf528f7570f3b38f5
parent92186cbd28df57bda027c90eb3715c8a636c1037 (diff)
downloadpodman-e21a6368f9308292641ed5ce58321b1cd46abdc9.tar.gz
podman-e21a6368f9308292641ed5ce58321b1cd46abdc9.tar.bz2
podman-e21a6368f9308292641ed5ce58321b1cd46abdc9.zip
abi: set default umask and rlimits
the code got lost in the migration to podman 2.0, reintroduce it. Closes: https://github.com/containers/podman/issues/6989 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> <MH: Fixed build> Signed-off-by: Matthew Heon <matthew.heon@pm.me>
-rw-r--r--cmd/podman/early_init_linux.go39
-rw-r--r--cmd/podman/early_init_unsupported.go6
-rw-r--r--cmd/podman/root.go1
-rw-r--r--libpod/define/config.go10
-rw-r--r--pkg/domain/infra/abi/system.go22
-rw-r--r--pkg/spec/spec.go15
-rw-r--r--pkg/specgen/generate/oci.go15
7 files changed, 70 insertions, 38 deletions
diff --git a/cmd/podman/early_init_linux.go b/cmd/podman/early_init_linux.go
new file mode 100644
index 000000000..b43450a7f
--- /dev/null
+++ b/cmd/podman/early_init_linux.go
@@ -0,0 +1,39 @@
+package main
+
+import (
+ "fmt"
+ "os"
+ "syscall"
+
+ "github.com/containers/libpod/v2/libpod/define"
+ "github.com/pkg/errors"
+)
+
+func setRLimits() error {
+ rlimits := new(syscall.Rlimit)
+ rlimits.Cur = define.RLimitDefaultValue
+ rlimits.Max = define.RLimitDefaultValue
+ if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
+ if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
+ return errors.Wrapf(err, "error getting rlimits")
+ }
+ rlimits.Cur = rlimits.Max
+ if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
+ return errors.Wrapf(err, "error setting new rlimits")
+ }
+ }
+ return nil
+}
+
+func setUMask() {
+ // Be sure we can create directories with 0755 mode.
+ syscall.Umask(0022)
+}
+
+func earlyInitHook() {
+ if err := setRLimits(); err != nil {
+ fmt.Fprint(os.Stderr, "Failed to set rlimits: "+err.Error())
+ }
+
+ setUMask()
+}
diff --git a/cmd/podman/early_init_unsupported.go b/cmd/podman/early_init_unsupported.go
new file mode 100644
index 000000000..4e748559f
--- /dev/null
+++ b/cmd/podman/early_init_unsupported.go
@@ -0,0 +1,6 @@
+// +build !linux
+
+package main
+
+func earlyInitHook() {
+}
diff --git a/cmd/podman/root.go b/cmd/podman/root.go
index 7c54da91a..b2c9f9c2c 100644
--- a/cmd/podman/root.go
+++ b/cmd/podman/root.go
@@ -77,6 +77,7 @@ func init() {
cobra.OnInitialize(
loggingHook,
syslogHook,
+ earlyInitHook,
)
rootFlags(rootCmd, registry.PodmanConfig())
diff --git a/libpod/define/config.go b/libpod/define/config.go
index 900a363d8..64b24d9e2 100644
--- a/libpod/define/config.go
+++ b/libpod/define/config.go
@@ -75,3 +75,13 @@ const JSONLogging = "json-file"
// NoLogging is the string conmon expects when specifying to use no log driver whatsoever
const NoLogging = "none"
+
+// Strings used for --sdnotify option to podman
+const (
+ SdNotifyModeContainer = "container"
+ SdNotifyModeConmon = "conmon"
+ SdNotifyModeIgnore = "ignore"
+)
+
+// DefaultRlimitValue is the value set by default for nofile and nproc
+const RLimitDefaultValue = uint64(1048576)
diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go
index be14f52b8..435902ded 100644
--- a/pkg/domain/infra/abi/system.go
+++ b/pkg/domain/infra/abi/system.go
@@ -8,7 +8,6 @@ import (
"os/exec"
"path/filepath"
"strconv"
- "syscall"
"github.com/containers/common/pkg/config"
"github.com/containers/libpod/v2/libpod/define"
@@ -146,27 +145,6 @@ func movePauseProcessToScope() error {
return utils.RunUnderSystemdScope(int(pid), "user.slice", "podman-pause.scope")
}
-func setRLimits() error { // nolint:deadcode,unused
- rlimits := new(syscall.Rlimit)
- rlimits.Cur = 1048576
- rlimits.Max = 1048576
- if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
- if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
- return errors.Wrapf(err, "error getting rlimits")
- }
- rlimits.Cur = rlimits.Max
- if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
- return errors.Wrapf(err, "error setting new rlimits")
- }
- }
- return nil
-}
-
-func setUMask() { // nolint:deadcode,unused
- // Be sure we can create directories with 0755 mode.
- syscall.Umask(0022)
-}
-
// checkInput can be used to verify any of the globalopt values
func checkInput() error { // nolint:deadcode,unused
return nil
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 6f52b88b1..b974772d5 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -505,10 +505,9 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, g *generate.
func addRlimits(config *CreateConfig, g *generate.Generator) error {
var (
- kernelMax uint64 = 1048576
- isRootless = rootless.IsRootless()
- nofileSet = false
- nprocSet = false
+ isRootless = rootless.IsRootless()
+ nofileSet = false
+ nprocSet = false
)
for _, u := range config.Resources.Ulimit {
@@ -538,8 +537,8 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error {
// files and number of processes to the maximum they can be set to
// (without overriding a sysctl)
if !nofileSet {
- max := kernelMax
- current := kernelMax
+ max := define.RLimitDefaultValue
+ current := define.RLimitDefaultValue
if isRootless {
var rlimit unix.Rlimit
if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil {
@@ -555,8 +554,8 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error {
g.AddProcessRlimits("RLIMIT_NOFILE", max, current)
}
if !nprocSet {
- max := kernelMax
- current := kernelMax
+ max := define.RLimitDefaultValue
+ current := define.RLimitDefaultValue
if isRootless {
var rlimit unix.Rlimit
if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil {
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
index f770b0582..b62e851b3 100644
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@@ -20,10 +20,9 @@ import (
func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
var (
- kernelMax uint64 = 1048576
- isRootless = rootless.IsRootless()
- nofileSet = false
- nprocSet = false
+ isRootless = rootless.IsRootless()
+ nofileSet = false
+ nprocSet = false
)
if s.Rlimits == nil {
@@ -45,8 +44,8 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
// files and number of processes to the maximum they can be set to
// (without overriding a sysctl)
if !nofileSet {
- max := kernelMax
- current := kernelMax
+ max := define.RLimitDefaultValue
+ current := define.RLimitDefaultValue
if isRootless {
var rlimit unix.Rlimit
if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil {
@@ -62,8 +61,8 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
g.AddProcessRlimits("RLIMIT_NOFILE", max, current)
}
if !nprocSet {
- max := kernelMax
- current := kernelMax
+ max := define.RLimitDefaultValue
+ current := define.RLimitDefaultValue
if isRootless {
var rlimit unix.Rlimit
if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil {