From 6a46af571e70fd49655fe97df93391500933b2d1 Mon Sep 17 00:00:00 2001 From: Matthew Heon Date: Tue, 28 Aug 2018 12:54:41 -0400 Subject: Set nproc in containers unless explicitly overridden Signed-off-by: Matthew Heon Closes: #1355 Approved by: rhatdan --- pkg/spec/spec.go | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) (limited to 'pkg/spec') diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 6520940d0..26b93f5fe 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -440,26 +440,35 @@ func addIpcNS(config *CreateConfig, g *generate.Generator) error { func addRlimits(config *CreateConfig, g *generate.Generator) error { var ( - ul *units.Ulimit - err error + kernelMax uint64 = 1048576 + isRootless = rootless.IsRootless() + nofileSet = false + nprocSet = false ) - nofileSet := false - for _, u := range config.Resources.Ulimit { - if ul, err = units.ParseUlimit(u); err != nil { + ul, err := units.ParseUlimit(u) + if err != nil { return errors.Wrapf(err, "ulimit option %q requires name=SOFT:HARD, failed to be parsed", u) } if ul.Name == "nofile" { nofileSet = true + } else if ul.Name == "nproc" { + nprocSet = true } g.AddProcessRlimits("RLIMIT_"+strings.ToUpper(ul.Name), uint64(ul.Hard), uint64(ul.Soft)) } - if !nofileSet && !rootless.IsRootless() { - g.AddProcessRlimits("RLIMIT_NOFILE", 1048576, 1048576) + // If not explicitly overridden by the user, default number of open + // files and number of processes to the maximum they can be set to + // (without overriding a sysctl) + if !nofileSet && !isRootless { + g.AddProcessRlimits("RLIMIT_NOFILE", kernelMax, kernelMax) + } + if !nprocSet && !isRootless { + g.AddProcessRlimits("RLIMIT_NPROC", kernelMax, kernelMax) } return nil -- cgit v1.2.3-54-g00ecf