diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-01-10 16:44:40 +0100 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-01-10 17:43:58 +0100 |
commit | a2c1a2df54f3660cdb49022fee1eae4a968c279a (patch) | |
tree | 7bece76b13c5bf80d456f959404d2f6eb41523f5 | |
parent | 0f6535cf6b4bfac265983c2fdd3482310ab4f39b (diff) | |
download | podman-a2c1a2df54f3660cdb49022fee1eae4a968c279a.tar.gz podman-a2c1a2df54f3660cdb49022fee1eae4a968c279a.tar.bz2 podman-a2c1a2df54f3660cdb49022fee1eae4a968c279a.zip |
podman: bump RLIMIT_NOFILE also without CAP_SYS_RESOURCE
If we are not able to make arbitrary changes to the RLIMIT_NOFILE when
lacking CAP_SYS_RESOURCE, don't fail but bump the limit to the maximum
allowed. In this way the same code path works with rootless mode.
Closes: https://github.com/containers/libpod/issues/2123
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r-- | cmd/podman/main.go | 18 | ||||
-rw-r--r-- | libpod/container_easyjson.go | 2 |
2 files changed, 12 insertions, 8 deletions
diff --git a/cmd/podman/main.go b/cmd/podman/main.go index 43804ee35..604404827 100644 --- a/cmd/podman/main.go +++ b/cmd/podman/main.go @@ -148,16 +148,20 @@ func main() { logrus.SetLevel(level) } - // Only if not rootless, set rlimits for open files. - // We open numerous FDs for ports opened - if !rootless.IsRootless() { - rlimits := new(syscall.Rlimit) - rlimits.Cur = 1048576 - rlimits.Max = 1048576 + rlimits := new(syscall.Rlimit) + rlimits.Cur = 1048576 + rlimits.Max = 1048576 + if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil { + if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil { + return errors.Wrapf(err, "error getting rlimits") + } + rlimits.Cur = rlimits.Max if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil { return errors.Wrapf(err, "error setting new rlimits") } - } else { + } + + if rootless.IsRootless() { logrus.Info("running as rootless") } diff --git a/libpod/container_easyjson.go b/libpod/container_easyjson.go index f1cb09bcc..50741df11 100644 --- a/libpod/container_easyjson.go +++ b/libpod/container_easyjson.go @@ -1,6 +1,6 @@ // +build seccomp ostree selinux varlink exclude_graphdriver_devicemapper -// Code generated by easyjson for marshaling/unmarshaling. DO NOT EDIT +// Code generated by easyjson for marshaling/unmarshaling. DO NOT EDIT. package libpod |