summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2020-04-27 16:06:30 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2020-04-28 08:09:39 -0400
commit51585fffdd249d97af928844b337009a30f4d627 (patch)
treea1079d1673942b3f3c791addd091b1b5bc924c05
parentebf041652e93487b8afbac2bc4d9031d8547d866 (diff)
downloadpodman-51585fffdd249d97af928844b337009a30f4d627.tar.gz
podman-51585fffdd249d97af928844b337009a30f4d627.tar.bz2
podman-51585fffdd249d97af928844b337009a30f4d627.zip
Set up ulimits for rootless containers.
Currently we are setting the maximum limits for rootful podman containers, no reason not to set them by default for rootless users as well Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
-rw-r--r--pkg/spec/spec.go32
-rw-r--r--pkg/specgen/generate/oci.go32
2 files changed, 54 insertions, 10 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 7ee2df890..cb2403dec 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -16,6 +16,8 @@ import (
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
"github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
+ "golang.org/x/sys/unix"
)
const CpuPeriod = 100000
@@ -533,11 +535,31 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error {
// If not explicitly overridden by the user, default number of open
// files and number of processes to the maximum they can be set to
// (without overriding a sysctl)
- if !nofileSet && !isRootless {
- g.AddProcessRlimits("RLIMIT_NOFILE", kernelMax, kernelMax)
- }
- if !nprocSet && !isRootless {
- g.AddProcessRlimits("RLIMIT_NPROC", kernelMax, kernelMax)
+ if !nofileSet {
+ max := kernelMax
+ current := kernelMax
+ if isRootless {
+ var rlimit unix.Rlimit
+ if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil {
+ logrus.Warnf("failed to return RLIMIT_NOFILE ulimit %q", err)
+ }
+ current = rlimit.Cur
+ max = rlimit.Max
+ }
+ g.AddProcessRlimits("RLIMIT_NOFILE", current, max)
+ }
+ if !nprocSet {
+ max := kernelMax
+ current := kernelMax
+ if isRootless {
+ var rlimit unix.Rlimit
+ if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil {
+ logrus.Warnf("failed to return RLIMIT_NPROC ulimit %q", err)
+ }
+ current = rlimit.Cur
+ max = rlimit.Max
+ }
+ g.AddProcessRlimits("RLIMIT_NPROC", current, max)
}
return nil
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
index 87262684e..f2292f500 100644
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@@ -13,6 +13,8 @@ import (
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
"github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
+ "golang.org/x/sys/unix"
)
func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
@@ -41,11 +43,31 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
// If not explicitly overridden by the user, default number of open
// files and number of processes to the maximum they can be set to
// (without overriding a sysctl)
- if !nofileSet && !isRootless {
- g.AddProcessRlimits("RLIMIT_NOFILE", kernelMax, kernelMax)
- }
- if !nprocSet && !isRootless {
- g.AddProcessRlimits("RLIMIT_NPROC", kernelMax, kernelMax)
+ if !nofileSet {
+ max := kernelMax
+ current := kernelMax
+ if isRootless {
+ var rlimit unix.Rlimit
+ if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil {
+ logrus.Warnf("failed to return RLIMIT_NOFILE ulimit %q", err)
+ }
+ current = rlimit.Cur
+ max = rlimit.Max
+ }
+ g.AddProcessRlimits("RLIMIT_NOFILE", current, max)
+ }
+ if !nprocSet {
+ max := kernelMax
+ current := kernelMax
+ if isRootless {
+ var rlimit unix.Rlimit
+ if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil {
+ logrus.Warnf("failed to return RLIMIT_NPROC ulimit %q", err)
+ }
+ current = rlimit.Cur
+ max = rlimit.Max
+ }
+ g.AddProcessRlimits("RLIMIT_NPROC", current, max)
}
return nil