From 0a69aefa41d55d2aa30333d6a4ce76b178d1ed5b Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Tue, 12 Nov 2024 16:44:33 +0100 Subject: [PATCH] spec: clamp rlimits in a userns commit 5ebba75dbd4462da47283b3f018804b7361d52bf implemented this behaviour for rootless users, but the same limitation exists for any user in a user namespace. Change the check to use the clamp to the current values anytime podman runs in a user namespace. Closes: https://github.com/containers/podman/issues/24508 Signed-off-by: Giuseppe Scrivano --- libpod/container_internal_common.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go index 3000aeafdf..a31c7f66e8 100644 --- a/libpod/container_internal_common.go +++ b/libpod/container_internal_common.go @@ -662,7 +662,6 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc // setup rlimits nofileSet := false nprocSet := false - isRootless := rootless.IsRootless() isRunningInUserNs := unshare.IsRootless() if isRunningInUserNs && g.Config.Process != nil && g.Config.Process.OOMScoreAdj != nil { var err error @@ -682,7 +681,7 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc if !nofileSet { max := rlimT(define.RLimitDefaultValue) current := rlimT(define.RLimitDefaultValue) - if isRootless { + if isRunningInUserNs { var rlimit unix.Rlimit if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil { logrus.Warnf("Failed to return RLIMIT_NOFILE ulimit %q", err) @@ -699,7 +698,7 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc if !nprocSet { max := rlimT(define.RLimitDefaultValue) current := rlimT(define.RLimitDefaultValue) - if isRootless { + if isRunningInUserNs { var rlimit unix.Rlimit if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil { logrus.Warnf("Failed to return RLIMIT_NPROC ulimit %q", err)