Merge pull request #7005 from giuseppe/set-umask-rlimits

abi: set default umask and rlimits
2025-06-22 18:08:11 +08:00 · 2020-07-17 16:12:47 -04:00
parent dfca83d37c 65d382dc68
commit 10c5f24123
7 changed files with 63 additions and 38 deletions
--- a/cmd/podman/early_init_linux.go
+++ b/cmd/podman/early_init_linux.go
@ -0,0 +1,39 @@
 package main
 import (
 	"fmt"
 	"os"
 	"syscall"
 	"github.com/containers/libpod/v2/libpod/define"
 	"github.com/pkg/errors"
 )
 func setRLimits() error {
 	rlimits := new(syscall.Rlimit)
 	rlimits.Cur = define.RLimitDefaultValue
 	rlimits.Max = define.RLimitDefaultValue
 	if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
 		if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
 			return errors.Wrapf(err, "error getting rlimits")
 		}
 		rlimits.Cur = rlimits.Max
 		if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
 			return errors.Wrapf(err, "error setting new rlimits")
 		}
 	}
 	return nil
 }
 func setUMask() {
 	// Be sure we can create directories with 0755 mode.
 	syscall.Umask(0022)
 }
 func earlyInitHook() {
 	if err := setRLimits(); err != nil {
 		fmt.Fprint(os.Stderr, "Failed to set rlimits: "+err.Error())
 	}
 	setUMask()
 }
--- a/cmd/podman/early_init_unsupported.go
+++ b/cmd/podman/early_init_unsupported.go
@ -0,0 +1,6 @@
 // +build !linux
 package main
 func earlyInitHook() {
 }
--- a/cmd/podman/root.go
+++ b/cmd/podman/root.go
@ -77,6 +77,7 @@ func init() {
 	cobra.OnInitialize(
 		loggingHook,
 		syslogHook,
 		earlyInitHook,
 	)
 	rootFlags(rootCmd, registry.PodmanConfig())
--- a/libpod/define/config.go
+++ b/libpod/define/config.go
@ -82,3 +82,6 @@ const (
 	SdNotifyModeConmon    = "conmon"
 	SdNotifyModeIgnore    = "ignore"
 )
 // DefaultRlimitValue is the value set by default for nofile and nproc
 const RLimitDefaultValue = uint64(1048576)
--- a/pkg/domain/infra/abi/system.go
+++ b/pkg/domain/infra/abi/system.go
@ -8,7 +8,6 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strconv"
 	"syscall"
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/libpod/v2/libpod/define"
@ -146,27 +145,6 @@ func movePauseProcessToScope() error {
 	return utils.RunUnderSystemdScope(int(pid), "user.slice", "podman-pause.scope")
 }
 func setRLimits() error { // nolint:deadcode,unused
 	rlimits := new(syscall.Rlimit)
 	rlimits.Cur = 1048576
 	rlimits.Max = 1048576
 	if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
 		if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
 			return errors.Wrapf(err, "error getting rlimits")
 		}
 		rlimits.Cur = rlimits.Max
 		if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
 			return errors.Wrapf(err, "error setting new rlimits")
 		}
 	}
 	return nil
 }
 func setUMask() { // nolint:deadcode,unused
 	// Be sure we can create directories with 0755 mode.
 	syscall.Umask(0022)
 }
 // checkInput can be used to verify any of the globalopt values
 func checkInput() error { // nolint:deadcode,unused
 	return nil
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@ -505,10 +505,9 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, g *generate.
 func addRlimits(config *CreateConfig, g *generate.Generator) error {
 	var (
-		kernelMax  uint64 = 1048576
+		isRootless = rootless.IsRootless()
-		isRootless        = rootless.IsRootless()
+		nofileSet  = false
-		nofileSet         = false
+		nprocSet   = false
 		nprocSet          = false
 	)
 	for _, u := range config.Resources.Ulimit {
@ -538,8 +537,8 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error {
 	// files and number of processes to the maximum they can be set to
 	// (without overriding a sysctl)
 	if !nofileSet {
-		max := kernelMax
+		max := define.RLimitDefaultValue
-		current := kernelMax
+		current := define.RLimitDefaultValue
 		if isRootless {
 			var rlimit unix.Rlimit
 			if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil {
@ -555,8 +554,8 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error {
 		g.AddProcessRlimits("RLIMIT_NOFILE", max, current)
 	}
 	if !nprocSet {
-		max := kernelMax
+		max := define.RLimitDefaultValue
-		current := kernelMax
+		current := define.RLimitDefaultValue
 		if isRootless {
 			var rlimit unix.Rlimit
 			if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil {
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@ -20,10 +20,9 @@ import (
 func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
 	var (
-		kernelMax  uint64 = 1048576
+		isRootless = rootless.IsRootless()
-		isRootless        = rootless.IsRootless()
+		nofileSet  = false
-		nofileSet         = false
+		nprocSet   = false
 		nprocSet          = false
 	)
 	if s.Rlimits == nil {
@ -45,8 +44,8 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
 	// files and number of processes to the maximum they can be set to
 	// (without overriding a sysctl)
 	if !nofileSet {
-		max := kernelMax
+		max := define.RLimitDefaultValue
-		current := kernelMax
+		current := define.RLimitDefaultValue
 		if isRootless {
 			var rlimit unix.Rlimit
 			if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil {
@ -62,8 +61,8 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
 		g.AddProcessRlimits("RLIMIT_NOFILE", max, current)
 	}
 	if !nprocSet {
-		max := kernelMax
+		max := define.RLimitDefaultValue
-		current := kernelMax
+		current := define.RLimitDefaultValue
 		if isRootless {
 			var rlimit unix.Rlimit
 			if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil {