opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-10-17 19:24:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

spec: clamp rlimits in a userns

Browse Source 
commit 5ebba75dbd4462da47283b3f018804b7361d52bf implemented this
behaviour for rootless users, but the same limitation exists for any
user in a user namespace.  Change the check to use the clamp to the
current values anytime podman runs in a user namespace.

Closes: https://github.com/containers/podman/issues/24508

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano
2024-11-12 16:44:33 +01:00
parent da8995658b
commit 0a69aefa41
1 changed files with 2 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
libpod/container_internal_common.go
View File

@ -662,7 +662,6 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
// setup rlimits // setup rlimits
nofileSet := false nofileSet := false
nprocSet := false nprocSet := false
isRootless := rootless.IsRootless()
isRunningInUserNs := unshare.IsRootless() isRunningInUserNs := unshare.IsRootless()
if isRunningInUserNs && g.Config.Process != nil && g.Config.Process.OOMScoreAdj != nil { if isRunningInUserNs && g.Config.Process != nil && g.Config.Process.OOMScoreAdj != nil {
var err error var err error
@ -682,7 +681,7 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
if !nofileSet { if !nofileSet {
max := rlimT(define.RLimitDefaultValue) max := rlimT(define.RLimitDefaultValue)
current := rlimT(define.RLimitDefaultValue) current := rlimT(define.RLimitDefaultValue)
if isRootless { if isRunningInUserNs {
var rlimit unix.Rlimit var rlimit unix.Rlimit
if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil { if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil {
logrus.Warnf("Failed to return RLIMIT_NOFILE ulimit %q", err) logrus.Warnf("Failed to return RLIMIT_NOFILE ulimit %q", err)
@ -699,7 +698,7 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
if !nprocSet { if !nprocSet {
max := rlimT(define.RLimitDefaultValue) max := rlimT(define.RLimitDefaultValue)
current := rlimT(define.RLimitDefaultValue) current := rlimT(define.RLimitDefaultValue)
if isRootless { if isRunningInUserNs {
var rlimit unix.Rlimit var rlimit unix.Rlimit
if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil { if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil {
logrus.Warnf("Failed to return RLIMIT_NPROC ulimit %q", err) logrus.Warnf("Failed to return RLIMIT_NPROC ulimit %q", err)