From cb01f3bddb6f4a9d0709bf066b8f25c900406d87 Mon Sep 17 00:00:00 2001 From: lifubang Date: Wed, 1 May 2024 00:25:49 +0800 Subject: [PATCH] update/add some tests for rlimit issues: https://github.com/opencontainers/runc/issues/4195 https://github.com/opencontainers/runc/pull/4265#discussion_r1588599809 Signed-off-by: lifubang (cherry picked from commit 4ea0bf88fda72a1aeb34d443649b6d3d1e1c6baf) Signed-off-by: lfbzhm --- libcontainer/integration/exec_test.go | 6 +- tests/integration/rlimits.bats | 88 +++++++++++++++++++++++++++ 2 files changed, 92 insertions(+), 2 deletions(-) create mode 100644 tests/integration/rlimits.bats diff --git a/libcontainer/integration/exec_test.go b/libcontainer/integration/exec_test.go index 670b33fcbb3..568bb637916 100644 --- a/libcontainer/integration/exec_test.go +++ b/libcontainer/integration/exec_test.go @@ -135,11 +135,13 @@ func testRlimit(t *testing.T, userns bool) { config := newTemplateConfig(t, &tParam{userns: userns}) - // ensure limit is lower than what the config requests to test that in a user namespace + // Ensure limit is lower than what the config requests to test that in a user namespace // the Setrlimit call happens early enough that we still have permissions to raise the limit. + // Do not change the Cur value to be equal to the Max value, please see: + // https://github.com/opencontainers/runc/pull/4265#discussion_r1589666444 ok(t, unix.Setrlimit(unix.RLIMIT_NOFILE, &unix.Rlimit{ Max: 1024, - Cur: 1024, + Cur: 512, })) out := runContainerOk(t, config, "/bin/sh", "-c", "ulimit -n") diff --git a/tests/integration/rlimits.bats b/tests/integration/rlimits.bats new file mode 100644 index 00000000000..356a7871069 --- /dev/null +++ b/tests/integration/rlimits.bats @@ -0,0 +1,88 @@ +#!/usr/bin/env bats + +load helpers + +function setup() { + # Do not change the Cur value to be equal to the Max value + # Because in some environments, the soft and hard nofile limit have the same value. + [ $EUID -eq 0 ] && prlimit --nofile=1024:65536 -p $$ + setup_busybox +} + +function teardown() { + teardown_bundle +} + +# Set and check rlimit_nofile for runc run. Arguments are: +# $1: soft limit; +# $2: hard limit. +function run_check_nofile() { + soft="$1" + hard="$2" + update_config ".process.rlimits = [{\"type\": \"RLIMIT_NOFILE\", \"soft\": ${soft}, \"hard\": ${hard}}]" + update_config '.process.args = ["/bin/sh", "-c", "ulimit -n; ulimit -H -n"]' + + runc run test_rlimit + [ "$status" -eq 0 ] + [[ "${lines[0]}" == "${soft}" ]] + [[ "${lines[1]}" == "${hard}" ]] +} + +# Set and check rlimit_nofile for runc exec. Arguments are: +# $1: soft limit; +# $2: hard limit. +function exec_check_nofile() { + soft="$1" + hard="$2" + update_config ".process.rlimits = [{\"type\": \"RLIMIT_NOFILE\", \"soft\": ${soft}, \"hard\": ${hard}}]" + + runc run -d --console-socket "$CONSOLE_SOCKET" test_rlimit + [ "$status" -eq 0 ] + + runc exec test_rlimit /bin/sh -c "ulimit -n; ulimit -H -n" + [ "$status" -eq 0 ] + [[ "${lines[0]}" == "${soft}" ]] + [[ "${lines[1]}" == "${hard}" ]] +} + +@test "runc run with RLIMIT_NOFILE(The same as system's hard value)" { + hard=$(ulimit -n -H) + soft="$hard" + run_check_nofile "$soft" "$hard" +} + +@test "runc run with RLIMIT_NOFILE(Bigger than system's hard value)" { + requires root + limit=$(ulimit -n -H) + soft=$((limit + 1)) + hard=$soft + run_check_nofile "$soft" "$hard" +} + +@test "runc run with RLIMIT_NOFILE(Smaller than system's hard value)" { + limit=$(ulimit -n -H) + soft=$((limit - 1)) + hard=$soft + run_check_nofile "$soft" "$hard" +} + +@test "runc exec with RLIMIT_NOFILE(The same as system's hard value)" { + hard=$(ulimit -n -H) + soft="$hard" + exec_check_nofile "$soft" "$hard" +} + +@test "runc exec with RLIMIT_NOFILE(Bigger than system's hard value)" { + requires root + limit=$(ulimit -n -H) + soft=$((limit + 1)) + hard=$soft + exec_check_nofile "$soft" "$hard" +} + +@test "runc exec with RLIMIT_NOFILE(Smaller than system's hard value)" { + limit=$(ulimit -n -H) + soft=$((limit - 1)) + hard=$soft + exec_check_nofile "$soft" "$hard" +}