Skip to content

Commit

Permalink
libcontainer:clean cached rlimit nofile in go runtime
Browse files Browse the repository at this point in the history
As reported in issue opencontainers#4195, the new version of go runtime will
cache rlimit-nofile. before executing exec, the rlimit-nofile
of the process will be restored with the cache. in runc, this will
cause the rlimit-nofile set by the parent process for the container
to become invalid. this can be solved by clearing the cache.

Signed-off-by: ls-ggg <[email protected]>
(cherry picked from commit f9f8abf)
Signed-off-by: lifubang <[email protected]>
  • Loading branch information
ls-ggg authored and lifubang committed May 5, 2024
1 parent 163100f commit f820328
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 5 deletions.
9 changes: 9 additions & 0 deletions libcontainer/init_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -649,6 +649,15 @@ func setupRoute(config *configs.Config) error {
return nil
}

func containsRlimit(limits []configs.Rlimit, resource int) bool {
for _, rlimit := range limits {
if rlimit.Type == resource {
return true
}
}
return false
}

func setupRlimits(limits []configs.Rlimit, pid int) error {
for _, rlimit := range limits {
if err := unix.Prlimit(pid, rlimit.Type, &unix.Rlimit{Max: rlimit.Hard, Cur: rlimit.Soft}, nil); err != nil {
Expand Down
7 changes: 7 additions & 0 deletions libcontainer/setns_init_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,13 @@ func (l *linuxSetnsInit) Init() error {
}
}
}

// Set RLIMIT_NOFILE again to clean the cache in go runtime
// The problem originates from https://github.com/golang/go/commit/f5eef58e4381259cbd84b3f2074c79607fb5c821
if containsRlimit(l.config.Rlimits, unix.RLIMIT_NOFILE) {
system.ClearRlimitNofileCache()
}

if l.config.CreateConsole {
if err := setupConsole(l.consoleSocket, l.config, false); err != nil {
return err
Expand Down
15 changes: 10 additions & 5 deletions libcontainer/standard_init_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,17 +6,16 @@ import (
"os"
"os/exec"

"github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux"
"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"

"github.com/opencontainers/runc/libcontainer/apparmor"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/keys"
"github.com/opencontainers/runc/libcontainer/seccomp"
"github.com/opencontainers/runc/libcontainer/system"
"github.com/opencontainers/runc/libcontainer/utils"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux"
"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
)

type linuxStandardInit struct {
Expand Down Expand Up @@ -77,6 +76,12 @@ func (l *linuxStandardInit) Init() error {
}
}

// Set RLIMIT_NOFILE again to clean the cache in go runtime
// The problem originates from https://github.com/golang/go/commit/f5eef58e4381259cbd84b3f2074c79607fb5c821
if containsRlimit(l.config.Rlimits, unix.RLIMIT_NOFILE) {
system.ClearRlimitNofileCache()
}

if err := setupNetwork(l.config); err != nil {
return err
}
Expand Down
16 changes: 16 additions & 0 deletions libcontainer/system/linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,29 @@ import (
"os"
"os/exec"
"strconv"
"sync/atomic"
"syscall"
"unsafe"

"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
)

//go:linkname syscall_origRlimitNofile syscall.origRlimitNofile

// As reported in issue #4195, the new version of go runtime will
// cache rlimit-nofile. before executing exec, the rlimit-nofile
// of the process will be restored with the cache. in runc, this will
// cause the rlimit-nofile set by the parent process for the container
// to become invalid. this can be solved by clearing the cache. But
// unfortunatelly, gostdlib doesn't privede such method, so we need to
// link to the private var origRlimitNofile in package syscall
var syscall_origRlimitNofile atomic.Pointer[syscall.Rlimit]

func ClearRlimitNofileCache() {
syscall_origRlimitNofile.Store(nil)
}

type ParentDeathSignal int

func (p ParentDeathSignal) Restore() error {
Expand Down

0 comments on commit f820328

Please sign in to comment.