mirror of
https://github.com/containers/podman.git
synced 2025-10-17 19:24:04 +08:00
spec: clamp rlimits in a userns
commit 5ebba75dbd4462da47283b3f018804b7361d52bf implemented this behaviour for rootless users, but the same limitation exists for any user in a user namespace. Change the check to use the clamp to the current values anytime podman runs in a user namespace. Closes: https://github.com/containers/podman/issues/24508 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
@ -662,7 +662,6 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
|
||||
// setup rlimits
|
||||
nofileSet := false
|
||||
nprocSet := false
|
||||
isRootless := rootless.IsRootless()
|
||||
isRunningInUserNs := unshare.IsRootless()
|
||||
if isRunningInUserNs && g.Config.Process != nil && g.Config.Process.OOMScoreAdj != nil {
|
||||
var err error
|
||||
@ -682,7 +681,7 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
|
||||
if !nofileSet {
|
||||
max := rlimT(define.RLimitDefaultValue)
|
||||
current := rlimT(define.RLimitDefaultValue)
|
||||
if isRootless {
|
||||
if isRunningInUserNs {
|
||||
var rlimit unix.Rlimit
|
||||
if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil {
|
||||
logrus.Warnf("Failed to return RLIMIT_NOFILE ulimit %q", err)
|
||||
@ -699,7 +698,7 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
|
||||
if !nprocSet {
|
||||
max := rlimT(define.RLimitDefaultValue)
|
||||
current := rlimT(define.RLimitDefaultValue)
|
||||
if isRootless {
|
||||
if isRunningInUserNs {
|
||||
var rlimit unix.Rlimit
|
||||
if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil {
|
||||
logrus.Warnf("Failed to return RLIMIT_NPROC ulimit %q", err)
|
||||
|
Reference in New Issue
Block a user