Use default_ulimits field in containers.conf

The default_ulimits field is currently ignored in podman run commands. This PR fixes this. Fixes: https://github.com/containers/podman/issues/17396 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2025-08-06 19:44:14 +08:00 · 2023-03-13 11:03:29 -04:00
parent 931cd1d7da
commit 6046832f3e
5 changed files with 64 additions and 15 deletions
--- a/pkg/api/handlers/libpod/containers_create.go
+++ b/pkg/api/handlers/libpod/containers_create.go
@ -62,6 +62,7 @@ func CreateContainer(w http.ResponseWriter, r *http.Request) {
 		utils.InternalServerError(w, err)
 		return
 	}
 	rtSpec, spec, opts, err := generate.MakeContainer(r.Context(), runtime, &sg, false, nil)
 	if err != nil {
 		utils.InternalServerError(w, err)
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@ -15,6 +15,7 @@ import (
 	"github.com/containers/podman/v4/libpod/define"
 	"github.com/containers/podman/v4/pkg/namespaces"
 	"github.com/containers/podman/v4/pkg/specgen"
 	"github.com/containers/podman/v4/pkg/specgenutil"
 	"github.com/containers/podman/v4/pkg/util"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/selinux/go-selinux/label"
@ -30,6 +31,12 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener
 		return nil, nil, nil, err
 	}
 	rlimits, err := specgenutil.GenRlimits(rtc.Ulimits())
 	if err != nil {
 		return nil, nil, nil, err
 	}
 	s.Rlimits = append(rlimits, s.Rlimits...)
 	// If joining a pod, retrieve the pod for use, and its infra container
 	var pod *libpod.Pod
 	var infra *libpod.Container
--- a/pkg/specgenutil/specgen.go
+++ b/pkg/specgenutil/specgen.go
@ -233,6 +233,28 @@ func setNamespaces(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions)
 	return nil
 }
 func GenRlimits(ulimits []string) ([]specs.POSIXRlimit, error) {
 	rlimits := make([]specs.POSIXRlimit, 0, len(ulimits))
 	// Rlimits/Ulimits
 	for _, u := range ulimits {
 		if u == "host" {
 			rlimits = nil
 			break
 		}
 		ul, err := units.ParseUlimit(u)
 		if err != nil {
 			return nil, fmt.Errorf("ulimit option %q requires name=SOFT:HARD, failed to be parsed: %w", u, err)
 		}
 		rl := specs.POSIXRlimit{
 			Type: ul.Name,
 			Hard: uint64(ul.Hard),
 			Soft: uint64(ul.Soft),
 		}
 		rlimits = append(rlimits, rl)
 	}
 	return rlimits, nil
 }
 func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions, args []string) error {
 	rtc, err := config.Default()
 	if err != nil {
@ -738,21 +760,9 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
 	// DeviceCgroupRules: c.StringSlice("device-cgroup-rule"),
 	// Rlimits/Ulimits
-	for _, u := range c.Ulimit {
+	s.Rlimits, err = GenRlimits(c.Ulimit)
 		if u == "host" {
 			s.Rlimits = nil
 			break
 		}
 		ul, err := units.ParseUlimit(u)
 	if err != nil {
-			return fmt.Errorf("ulimit option %q requires name=SOFT:HARD, failed to be parsed: %w", u, err)
+		return err
 		}
 		rl := specs.POSIXRlimit{
 			Type: ul.Name,
 			Hard: uint64(ul.Hard),
 			Soft: uint64(ul.Soft),
 		}
 		s.Rlimits = append(s.Rlimits, rl)
 	}
 	logOpts := make(map[string]string)
--- a/test/e2e/containers_conf_test.go
+++ b/test/e2e/containers_conf_test.go
@ -55,6 +55,19 @@ var _ = Describe("Verify podman containers.conf usage", func() {
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 		Expect(session.OutputToString()).To(ContainSubstring("2048"))
 		// Reset CONTAINERS_CONF to "/dev/null"
 		// Local should go back to defaults but remote should be set on server side
 		os.Setenv("CONTAINERS_CONF", "/dev/null")
 		session = podmanTest.Podman([]string{"run", "--rm", fedoraMinimal, "ulimit", "-n"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 		if IsRemote() {
 			Expect(session.OutputToString()).To(ContainSubstring("500"))
 		} else {
 			Expect(session.OutputToString()).To(Not(Equal("500")))
 		}
 	})
 	It("having additional env", func() {
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@ -1006,6 +1006,24 @@ EOF
    CONTAINERS_CONF="$containersconf" run_podman 1 run --rm --read-only-tmpfs=false $IMAGE touch /tmp/testro
 }
@test "podman run ulimit from containers.conf" {
    skip_if_remote "containers.conf has to be set on remote, only tested on E2E test"
    containersconf=$PODMAN_TMPDIR/containers.conf
    nofile1=$((RANDOM % 10000 + 5))
    nofile2=$((RANDOM % 10000 + 5))
    cat >$containersconf <<EOF
 [containers]
 default_ulimits = [
  "nofile=${nofile1}:${nofile1}",
 ]
 EOF
    CONTAINERS_CONF="$containersconf" run_podman run --rm $IMAGE grep "Max open files" /proc/self/limits
    assert "$output" =~ " ${nofile1}  * ${nofile1}  * files"
    CONTAINERS_CONF="$containersconf" run_podman run --ulimit nofile=${nofile2}:${nofile2} --rm $IMAGE grep "Max open files" /proc/self/limits
    assert "$output" =~ " ${nofile2}  * ${nofile2}  * files"
 }
@test "podman run bad --name" {
    randomname=$(random_string 30)
    run_podman 125 create --name "$randomname/bad" $IMAGE