diff options
author | Ralf Haferkamp <rhafer@suse.com> | 2020-06-26 11:14:35 +0200 |
---|---|---|
committer | Ralf Haferkamp <rhafer@suse.com> | 2020-06-26 11:17:32 +0200 |
commit | 43c19966f67fed9ec6551efcd0a96231fbf40e56 (patch) | |
tree | a58e14991d6811e5b1b4ef5b2216e531f067c30b | |
parent | bb11b428798094f33b3ec6102d2e52a3baf46324 (diff) | |
download | podman-43c19966f67fed9ec6551efcd0a96231fbf40e56.tar.gz podman-43c19966f67fed9ec6551efcd0a96231fbf40e56.tar.bz2 podman-43c19966f67fed9ec6551efcd0a96231fbf40e56.zip |
specgen: fix order for setting rlimits
Also make sure that the limits we set for rootless are not higher than
what we'd set for root containers.
Rootless containers failed to start when the calling user already
had ulimit (e.g. on NOFILE) set.
This is basically a cherry-pick of 76f8efc0d0d into specgen
Signed-off-by: Ralf Haferkamp <rhafer@suse.com>
-rw-r--r-- | pkg/specgen/generate/oci.go | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index 1c34f622b..badb34999 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -52,10 +52,14 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error { if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil { logrus.Warnf("failed to return RLIMIT_NOFILE ulimit %q", err) } - current = rlimit.Cur - max = rlimit.Max + if rlimit.Cur < current { + current = rlimit.Cur + } + if rlimit.Max < max { + max = rlimit.Max + } } - g.AddProcessRlimits("RLIMIT_NOFILE", current, max) + g.AddProcessRlimits("RLIMIT_NOFILE", max, current) } if !nprocSet { max := kernelMax @@ -65,10 +69,14 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error { if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil { logrus.Warnf("failed to return RLIMIT_NPROC ulimit %q", err) } - current = rlimit.Cur - max = rlimit.Max + if rlimit.Cur < current { + current = rlimit.Cur + } + if rlimit.Max < max { + max = rlimit.Max + } } - g.AddProcessRlimits("RLIMIT_NPROC", current, max) + g.AddProcessRlimits("RLIMIT_NPROC", max, current) } return nil |