podman: do not set rlimits to the default value

since the effect would be to lower the rlimits when their definition is higher than the default value. The test doesn't fail on the previous version, unless the system is configured with a nofile ulimit higher than the default value. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2317721 Signed-off-by: Giuseppe Scrivano <[email protected]>
containers · Oct 11, 2024 · 71d5ee0 · 71d5ee0
1 parent 5ebba75
commit 71d5ee0
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 11 deletions.
diff --git a/cmd/podman/early_init_linux.go b/cmd/podman/early_init_linux.go
@@ -4,22 +4,16 @@ import (
 	"fmt"
 	"os"
 	"syscall"
-
-	"github.com/containers/podman/v5/libpod/define"
 )
 
 func setRLimits() error {
 	rlimits := new(syscall.Rlimit)
-	rlimits.Cur = define.RLimitDefaultValue
-	rlimits.Max = define.RLimitDefaultValue
+	if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
+		return fmt.Errorf("getting rlimits: %w", err)
+	}
+	rlimits.Cur = rlimits.Max
 	if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
-		if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
-			return fmt.Errorf("getting rlimits: %w", err)
-		}
-		rlimits.Cur = rlimits.Max
-		if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
-			return fmt.Errorf("setting new rlimits: %w", err)
-		}
+		return fmt.Errorf("setting new rlimits: %w", err)
 	}
 	return nil
 }

diff --git a/test/system/030-run.bats b/test/system/030-run.bats
@@ -1303,6 +1303,58 @@ EOF
     is "$output" "Error: ulimit option \"core=-1:1000\" requires name=SOFT:HARD, failed to be parsed: ulimit soft limit must be less than or equal to hard limit: soft: -1 (unlimited), hard: 1000"
 }
 
+# bats test_tags=ci:parallel
+@test "podman run - can use maximum ulimit value" {
+    skip_if_remote "cannot check local ulimits with podman remote"
+    run ulimit -n -H
+    max=$output
+    run_podman run --rm --ulimit=nofile=$max:$max $IMAGE sh -c 'ulimit -n -H'
+    is "$output" "$max" "wrong ulimit value"
+
+    run_podman run --rm $IMAGE sh -c 'ulimit -n -H'
+    default_value=$output
+
+    # Set the current ulimit smaller than the default value
+    ulimit -n -H $((default_value - 1))
+
+    run_podman run --rm $IMAGE sh -c 'ulimit -n -H'
+
+    if is_rootless; then
+        # verify that the value was clamped to the maximum allowed
+        is "$output" "$(ulimit -n -H)" "wrong ulimit value"
+    else
+        # when running as root check that the current environment does not affect
+        # the ulimit set inside the container.
+        is "$output" "$default_value" "wrong ulimit value"
+    fi
+}
+
+# bats test_tags=ci:parallel
+@test "podman run - ulimits have the correct default values" {
+    expected_nofile=1048576
+    expected_nproc=1048576
+
+    # clamp the expected values in rootless mode when they are
+    # greater than the current limits.
+    if is_rootless; then
+        nofile=$(ulimit -n -H)
+        if [[ $nofile -lt $expected_nofile ]]; then
+            expected_nofile=$nofile
+        fi
+        nproc=$(ulimit -u -H)
+        if [[ $nproc -lt $expected_nproc ]]; then
+            expected_nproc=$nproc
+        fi
+    fi
+
+    # validate that nofile and nproc are both set to the correct value
+    run_podman run --rm $IMAGE sh -c 'ulimit -n -H'
+    is "$output" "$expected_nofile" "wrong ulimit -n default value"
+
+    run_podman run --rm $IMAGE sh -c 'ulimit -u -H'
+    is "$output" "$expected_nproc" "wrong ulimit -u default value"
+}
+
 # bats test_tags=ci:parallel
 @test "podman run bad --name" {
     randomname=c_$(safename)