diff --git a/run_linux.go b/run_linux.go index d0b31f6daa6..79a9a324a60 100644 --- a/run_linux.go +++ b/run_linux.go @@ -1003,10 +1003,26 @@ func addRlimits(ulimit []string, g *generate.Generator, defaultUlimits []string) g.AddProcessRlimits("RLIMIT_"+strings.ToUpper(ul.Name), uint64(ul.Hard), uint64(ul.Soft)) } if !nofileSet { - max := define.RLimitDefaultValue + // For nofile, podman first tries to set both the hard and soft limits for the current + // process to RLimitDefaultValue - this will be successful in most (but not all) + // non-rootless environments. If this fails (e.g. in a rootless environment) it will ensure + // that the soft limit for the current process is increased to match the hard limit (see + // cmd/podman/early_init_linux.go). var rlimit unix.Rlimit + rlimit.Cur = define.RLimitDefaultValue + rlimit.Max = define.RLimitDefaultValue + err := unix.Setrlimit(unix.RLIMIT_NOFILE, &rlimit) + if err != nil { + // We don't really care whether there's an error here, because if it fails we + // effectively handle setting soft to hard in the call to AddProcessRlimits() later on. + logrus.Debugf("Failed to set RLIMIT_NOFILE ulimit %q", err) + } + + // Set both hard and soft limits to min(hard limit, RLimitDefaultValue) regardless of + // rootlessness. + max := define.RLimitDefaultValue if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err == nil { - if max < rlimit.Max || unshare.IsRootless() { + if rlimit.Max < max { max = rlimit.Max } } else { @@ -1014,17 +1030,23 @@ func addRlimits(ulimit []string, g *generate.Generator, defaultUlimits []string) } g.AddProcessRlimits("RLIMIT_NOFILE", max, max) } - if !nprocSet { + if !nprocSet && unshare.IsRootless() { + // For nproc, podman only sets limits for rootless containers (handling hard and soft limits + // independently). As before, these are set to min(soft/hard limit, RLimitDefaultValue). + current := define.RLimitDefaultValue max := define.RLimitDefaultValue var rlimit unix.Rlimit if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err == nil { - if max < rlimit.Max || unshare.IsRootless() { + if rlimit.Max < max { max = rlimit.Max } + if rlimit.Cur < current { + current = rlimit.Cur + } } else { logrus.Warnf("Failed to return RLIMIT_NPROC ulimit %q", err) } - g.AddProcessRlimits("RLIMIT_NPROC", max, max) + g.AddProcessRlimits("RLIMIT_NPROC", max, current) } return nil diff --git a/tests/run.bats b/tests/run.bats index 454351048f5..876b3287218 100644 --- a/tests/run.bats +++ b/tests/run.bats @@ -524,18 +524,22 @@ function configure_and_check_user() { _prefetch alpine - run podman run --rm alpine sh -c "awk '/open files/{print \$4 \"/\" \$5}' /proc/self/limits" - podman_files=$output + # drop limits prior to tests - this tests the ability of non-rootless containers to increase + # file limits to match those of podman + ulimit -S -n 1024 + ulimit -H -n 1024 run_buildah from --quiet --pull=false $WITH_POLICY_JSON alpine cid=$output + run podman run --rm alpine sh -c "awk '/open files/{print \$4 \"/\" \$5}' /proc/self/limits" + podman_files=$output run_buildah run $cid awk '/open files/{print $4 "/" $5}' /proc/self/limits expect_output "${podman_files}" "limits: podman and buildah should agree on open files" run podman run --rm alpine sh -c "awk '/processes/{print \$3 \"/\" \$4}' /proc/self/limits" podman_processes=$output run_buildah run $cid awk '/processes/{print $3 "/" $4}' /proc/self/limits - expect_output ${podman_processes} "processes should match podman" + expect_output "${podman_processes}" "limits: podman and buildah should agree on processes" run_buildah rm $cid run_buildah from --quiet --ulimit nofile=300:400 --pull=false $WITH_POLICY_JSON alpine