Merge pull request #6004 from rhatdan/ulimits

Set up ulimits for rootless containers.
containers · May 1, 2020 · 49107a5 · 49107a5
2 parents 1230499 + 51585ff
commit 49107a5
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 10 deletions.
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
@@ -16,6 +16,8 @@ import (
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
 )
 
 const CpuPeriod = 100000
@@ -534,11 +536,31 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error {
 	// If not explicitly overridden by the user, default number of open
 	// files and number of processes to the maximum they can be set to
 	// (without overriding a sysctl)
-	if !nofileSet && !isRootless {
-		g.AddProcessRlimits("RLIMIT_NOFILE", kernelMax, kernelMax)
-	}
-	if !nprocSet && !isRootless {
-		g.AddProcessRlimits("RLIMIT_NPROC", kernelMax, kernelMax)
+	if !nofileSet {
+		max := kernelMax
+		current := kernelMax
+		if isRootless {
+			var rlimit unix.Rlimit
+			if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil {
+				logrus.Warnf("failed to return RLIMIT_NOFILE ulimit %q", err)
+			}
+			current = rlimit.Cur
+			max = rlimit.Max
+		}
+		g.AddProcessRlimits("RLIMIT_NOFILE", current, max)
+	}
+	if !nprocSet {
+		max := kernelMax
+		current := kernelMax
+		if isRootless {
+			var rlimit unix.Rlimit
+			if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil {
+				logrus.Warnf("failed to return RLIMIT_NPROC ulimit %q", err)
+			}
+			current = rlimit.Cur
+			max = rlimit.Max
+		}
+		g.AddProcessRlimits("RLIMIT_NPROC", current, max)
 	}
 
 	return nil

diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
@@ -13,6 +13,8 @@ import (
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
 )
 
 func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
@@ -41,11 +43,31 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
 	// If not explicitly overridden by the user, default number of open
 	// files and number of processes to the maximum they can be set to
 	// (without overriding a sysctl)
-	if !nofileSet && !isRootless {
-		g.AddProcessRlimits("RLIMIT_NOFILE", kernelMax, kernelMax)
-	}
-	if !nprocSet && !isRootless {
-		g.AddProcessRlimits("RLIMIT_NPROC", kernelMax, kernelMax)
+	if !nofileSet {
+		max := kernelMax
+		current := kernelMax
+		if isRootless {
+			var rlimit unix.Rlimit
+			if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil {
+				logrus.Warnf("failed to return RLIMIT_NOFILE ulimit %q", err)
+			}
+			current = rlimit.Cur
+			max = rlimit.Max
+		}
+		g.AddProcessRlimits("RLIMIT_NOFILE", current, max)
+	}
+	if !nprocSet {
+		max := kernelMax
+		current := kernelMax
+		if isRootless {
+			var rlimit unix.Rlimit
+			if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil {
+				logrus.Warnf("failed to return RLIMIT_NPROC ulimit %q", err)
+			}
+			current = rlimit.Cur
+			max = rlimit.Max
+		}
+		g.AddProcessRlimits("RLIMIT_NPROC", current, max)
 	}
 
 	return nil