From 76f8efc0d0d7a697a4821d01f3c5dbf67bf33d8e Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 11 May 2020 12:53:13 +0200 Subject: spec: fix order for setting rlimits also make sure that the limits we set for rootless are not higher than what we'd set for root containers. Signed-off-by: Giuseppe Scrivano --- pkg/spec/spec.go | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'pkg') diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 77e92ae29..25cad9578 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -545,10 +545,14 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error { if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil { logrus.Warnf("failed to return RLIMIT_NOFILE ulimit %q", err) } - current = rlimit.Cur - max = rlimit.Max + if rlimit.Cur < current { + current = rlimit.Cur + } + if rlimit.Max < max { + max = rlimit.Max + } } - g.AddProcessRlimits("RLIMIT_NOFILE", current, max) + g.AddProcessRlimits("RLIMIT_NOFILE", max, current) } if !nprocSet { max := kernelMax @@ -558,10 +562,14 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error { if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil { logrus.Warnf("failed to return RLIMIT_NPROC ulimit %q", err) } - current = rlimit.Cur - max = rlimit.Max + if rlimit.Cur < current { + current = rlimit.Cur + } + if rlimit.Max < max { + max = rlimit.Max + } } - g.AddProcessRlimits("RLIMIT_NPROC", current, max) + g.AddProcessRlimits("RLIMIT_NPROC", max, current) } return nil -- cgit v1.2.3-54-g00ecf