mirror of
https://github.com/containers/podman.git
synced 2025-06-23 02:18:13 +08:00
Merge pull request #7005 from giuseppe/set-umask-rlimits
abi: set default umask and rlimits
This commit is contained in:
OpenShift Merge Robot
39
cmd/podman/early_init_linux.go
Normal file
39
cmd/podman/early_init_linux.go
Normal file
@ -0,0 +1,39 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"syscall"
|
||||
|
||||
"github.com/containers/libpod/v2/libpod/define"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
func setRLimits() error {
|
||||
rlimits := new(syscall.Rlimit)
|
||||
rlimits.Cur = define.RLimitDefaultValue
|
||||
rlimits.Max = define.RLimitDefaultValue
|
||||
if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
|
||||
if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
|
||||
return errors.Wrapf(err, "error getting rlimits")
|
||||
}
|
||||
rlimits.Cur = rlimits.Max
|
||||
if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
|
||||
return errors.Wrapf(err, "error setting new rlimits")
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func setUMask() {
|
||||
// Be sure we can create directories with 0755 mode.
|
||||
syscall.Umask(0022)
|
||||
}
|
||||
|
||||
func earlyInitHook() {
|
||||
if err := setRLimits(); err != nil {
|
||||
fmt.Fprint(os.Stderr, "Failed to set rlimits: "+err.Error())
|
||||
}
|
||||
|
||||
setUMask()
|
||||
}
|
||||
6
cmd/podman/early_init_unsupported.go
Normal file
6
cmd/podman/early_init_unsupported.go
Normal file
@ -0,0 +1,6 @@
|
||||
// +build !linux
|
||||
|
||||
package main
|
||||
|
||||
func earlyInitHook() {
|
||||
}
|
||||
@ -77,6 +77,7 @@ func init() {
|
||||
cobra.OnInitialize(
|
||||
loggingHook,
|
||||
syslogHook,
|
||||
earlyInitHook,
|
||||
)
|
||||
|
||||
rootFlags(rootCmd, registry.PodmanConfig())
|
||||
|
||||
@ -82,3 +82,6 @@ const (
|
||||
SdNotifyModeConmon = "conmon"
|
||||
SdNotifyModeIgnore = "ignore"
|
||||
)
|
||||
|
||||
// DefaultRlimitValue is the value set by default for nofile and nproc
|
||||
const RLimitDefaultValue = uint64(1048576)
|
||||
|
||||
@ -8,7 +8,6 @@ import (
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
"syscall"
|
||||
|
||||
"github.com/containers/common/pkg/config"
|
||||
"github.com/containers/libpod/v2/libpod/define"
|
||||
@ -146,27 +145,6 @@ func movePauseProcessToScope() error {
|
||||
return utils.RunUnderSystemdScope(int(pid), "user.slice", "podman-pause.scope")
|
||||
}
|
||||
|
||||
func setRLimits() error { // nolint:deadcode,unused
|
||||
rlimits := new(syscall.Rlimit)
|
||||
rlimits.Cur = 1048576
|
||||
rlimits.Max = 1048576
|
||||
if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
|
||||
if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
|
||||
return errors.Wrapf(err, "error getting rlimits")
|
||||
}
|
||||
rlimits.Cur = rlimits.Max
|
||||
if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
|
||||
return errors.Wrapf(err, "error setting new rlimits")
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func setUMask() { // nolint:deadcode,unused
|
||||
// Be sure we can create directories with 0755 mode.
|
||||
syscall.Umask(0022)
|
||||
}
|
||||
|
||||
// checkInput can be used to verify any of the globalopt values
|
||||
func checkInput() error { // nolint:deadcode,unused
|
||||
return nil
|
||||
|
||||
@ -505,7 +505,6 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, g *generate.
|
||||
|
||||
func addRlimits(config *CreateConfig, g *generate.Generator) error {
|
||||
var (
|
||||
kernelMax uint64 = 1048576
|
||||
isRootless = rootless.IsRootless()
|
||||
nofileSet = false
|
||||
nprocSet = false
|
||||
@ -538,8 +537,8 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error {
|
||||
// files and number of processes to the maximum they can be set to
|
||||
// (without overriding a sysctl)
|
||||
if !nofileSet {
|
||||
max := kernelMax
|
||||
current := kernelMax
|
||||
max := define.RLimitDefaultValue
|
||||
current := define.RLimitDefaultValue
|
||||
if isRootless {
|
||||
var rlimit unix.Rlimit
|
||||
if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil {
|
||||
@ -555,8 +554,8 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error {
|
||||
g.AddProcessRlimits("RLIMIT_NOFILE", max, current)
|
||||
}
|
||||
if !nprocSet {
|
||||
max := kernelMax
|
||||
current := kernelMax
|
||||
max := define.RLimitDefaultValue
|
||||
current := define.RLimitDefaultValue
|
||||
if isRootless {
|
||||
var rlimit unix.Rlimit
|
||||
if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil {
|
||||
|
||||
@ -20,7 +20,6 @@ import (
|
||||
|
||||
func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
|
||||
var (
|
||||
kernelMax uint64 = 1048576
|
||||
isRootless = rootless.IsRootless()
|
||||
nofileSet = false
|
||||
nprocSet = false
|
||||
@ -45,8 +44,8 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
|
||||
// files and number of processes to the maximum they can be set to
|
||||
// (without overriding a sysctl)
|
||||
if !nofileSet {
|
||||
max := kernelMax
|
||||
current := kernelMax
|
||||
max := define.RLimitDefaultValue
|
||||
current := define.RLimitDefaultValue
|
||||
if isRootless {
|
||||
var rlimit unix.Rlimit
|
||||
if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil {
|
||||
@ -62,8 +61,8 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
|
||||
g.AddProcessRlimits("RLIMIT_NOFILE", max, current)
|
||||
}
|
||||
if !nprocSet {
|
||||
max := kernelMax
|
||||
current := kernelMax
|
||||
max := define.RLimitDefaultValue
|
||||
current := define.RLimitDefaultValue
|
||||
if isRootless {
|
||||
var rlimit unix.Rlimit
|
||||
if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil {
|
||||
|
||||
Reference in New Issue
Block a user