Set up ulimits for rootless containers.

Currently we are setting the maximum limits for rootful podman containers,
no reason not to set them by default for rootless users as well

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

3 files changed, 45 insertions, 9 deletions

diff --git a/pkg/spec/config_linux.go b/pkg/spec/config_linux.go
index 544c0020d..779f41588 100644
--- a/pkg/spec/config_linux.go
+++ b/pkg/spec/config_linux.go
@@ -16,6 +16,7 @@ import (
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )
 
@@ -366,3 +367,27 @@ func GetStatFromPath(path string) (unix.Stat_t, error) {
 	err := unix.Stat(path, &s)
 	return s, err
 }
+
+func getNOFILESettings() (uint64, uint64) {
+	if rootless.IsRootless() {
+		var rlimit unix.Rlimit
+		if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err == nil {
+			return rlimit.Cur, rlimit.Max
+		} else {
+			logrus.Warnf("failed to return RLIMIT_NOFILE ulimit %q", err)
+		}
+	}
+	return kernelMax, kernelMax
+}
+
+func getNPROCSettings() (uint64, uint64) {
+	if rootless.IsRootless() {
+		var rlimit unix.Rlimit
+		if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err == nil {
+			return rlimit.Cur, rlimit.Max
+		} else {
+			logrus.Warnf("failed to return RLIMIT_NPROC ulimit %q", err)
+		}
+	}
+	return kernelMax, kernelMax
+}
diff --git a/pkg/spec/config_unsupported.go b/pkg/spec/config_unsupported.go
index 568afde55..402193456 100644
--- a/pkg/spec/config_unsupported.go
+++ b/pkg/spec/config_unsupported.go
@@ -34,3 +34,11 @@ func DevicesFromPath(g *generate.Generator, devicePath string) error {
 func deviceCgroupRules(g *generate.Generator, deviceCgroupRules []string) error {
 	return errors.New("function not implemented")
 }
+
+func getNOFILESettings() (uint64, uint64) {
+	return kernelMax, kernelMax
+}
+
+func getNPROCSettings() (uint64, uint64) {
+	return kernelMax, kernelMax
+}
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index c9a068578..eaa42e10d 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -18,7 +18,10 @@ import (
 	"github.com/pkg/errors"
 )
 
-const CpuPeriod = 100000
+const (
+	CpuPeriod        = 100000
+	kernelMax uint64 = 1048576
+)
 
 func GetAvailableGids() (int64, error) {
 	idMap, err := user.ParseIDMapFile("/proc/self/gid_map")
@@ -502,10 +505,8 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, g *generate.
 
 func addRlimits(config *CreateConfig, g *generate.Generator) error {
 	var (
-		kernelMax  uint64 = 1048576
-		isRootless        = rootless.IsRootless()
-		nofileSet         = false
-		nprocSet          = false
+		nofileSet = false
+		nprocSet  = false
 	)
 
 	for _, u := range config.Resources.Ulimit {
@@ -534,11 +535,13 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error {
 	// If not explicitly overridden by the user, default number of open
 	// files and number of processes to the maximum they can be set to
 	// (without overriding a sysctl)
-	if !nofileSet && !isRootless {
-		g.AddProcessRlimits("RLIMIT_NOFILE", kernelMax, kernelMax)
+	if !nofileSet {
+		current, max := getNOFILESettings()
+		g.AddProcessRlimits("RLIMIT_NOFILE", current, max)
 	}
-	if !nprocSet && !isRootless {
-		g.AddProcessRlimits("RLIMIT_NPROC", kernelMax, kernelMax)
+	if !nprocSet {
+		current, max := getNPROCSettings()
+		g.AddProcessRlimits("RLIMIT_NPROC", current, max)
 	}
 
 	return nil