From 6daf26fe580a239201010318a2f4b72b5460393b Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 5 May 2020 15:22:01 -0400 Subject: Set up ulimits for rootless containers. Currently we are setting the maximum limits for rootful podman containers, no reason not to set them by default for rootless users as well Signed-off-by: Daniel J Walsh --- pkg/spec/config_linux.go | 25 +++++++++++++++++++++++++ pkg/spec/config_unsupported.go | 8 ++++++++ pkg/spec/spec.go | 21 ++++++++++++--------- 3 files changed, 45 insertions(+), 9 deletions(-) (limited to 'pkg') diff --git a/pkg/spec/config_linux.go b/pkg/spec/config_linux.go index 544c0020d..779f41588 100644 --- a/pkg/spec/config_linux.go +++ b/pkg/spec/config_linux.go @@ -16,6 +16,7 @@ import ( spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/pkg/errors" + "github.com/sirupsen/logrus" "golang.org/x/sys/unix" ) @@ -366,3 +367,27 @@ func GetStatFromPath(path string) (unix.Stat_t, error) { err := unix.Stat(path, &s) return s, err } + +func getNOFILESettings() (uint64, uint64) { + if rootless.IsRootless() { + var rlimit unix.Rlimit + if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err == nil { + return rlimit.Cur, rlimit.Max + } else { + logrus.Warnf("failed to return RLIMIT_NOFILE ulimit %q", err) + } + } + return kernelMax, kernelMax +} + +func getNPROCSettings() (uint64, uint64) { + if rootless.IsRootless() { + var rlimit unix.Rlimit + if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err == nil { + return rlimit.Cur, rlimit.Max + } else { + logrus.Warnf("failed to return RLIMIT_NPROC ulimit %q", err) + } + } + return kernelMax, kernelMax +} diff --git a/pkg/spec/config_unsupported.go b/pkg/spec/config_unsupported.go index 568afde55..402193456 100644 --- a/pkg/spec/config_unsupported.go +++ b/pkg/spec/config_unsupported.go @@ -34,3 +34,11 @@ func DevicesFromPath(g *generate.Generator, devicePath string) error { func deviceCgroupRules(g *generate.Generator, deviceCgroupRules []string) error { return errors.New("function not implemented") } + +func getNOFILESettings() (uint64, uint64) { + return kernelMax, kernelMax +} + +func getNPROCSettings() (uint64, uint64) { + return kernelMax, kernelMax +} diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index c9a068578..eaa42e10d 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -18,7 +18,10 @@ import ( "github.com/pkg/errors" ) -const CpuPeriod = 100000 +const ( + CpuPeriod = 100000 + kernelMax uint64 = 1048576 +) func GetAvailableGids() (int64, error) { idMap, err := user.ParseIDMapFile("/proc/self/gid_map") @@ -502,10 +505,8 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, g *generate. func addRlimits(config *CreateConfig, g *generate.Generator) error { var ( - kernelMax uint64 = 1048576 - isRootless = rootless.IsRootless() - nofileSet = false - nprocSet = false + nofileSet = false + nprocSet = false ) for _, u := range config.Resources.Ulimit { @@ -534,11 +535,13 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error { // If not explicitly overridden by the user, default number of open // files and number of processes to the maximum they can be set to // (without overriding a sysctl) - if !nofileSet && !isRootless { - g.AddProcessRlimits("RLIMIT_NOFILE", kernelMax, kernelMax) + if !nofileSet { + current, max := getNOFILESettings() + g.AddProcessRlimits("RLIMIT_NOFILE", current, max) } - if !nprocSet && !isRootless { - g.AddProcessRlimits("RLIMIT_NPROC", kernelMax, kernelMax) + if !nprocSet { + current, max := getNPROCSettings() + g.AddProcessRlimits("RLIMIT_NPROC", current, max) } return nil -- cgit v1.2.3-54-g00ecf