podman: do not set rlimits to the default value

since the effect would be to lower the rlimits when their definition is higher than the default value. The test doesn't fail on the previous version, unless the system is configured with a nofile ulimit higher than the default value. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2317721 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
containers · Oct 10, 2024 · 88afdbb · 88afdbb
1 parent 0b3d889
commit 88afdbb
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 11 deletions.
diff --git a/cmd/podman/early_init_linux.go b/cmd/podman/early_init_linux.go
@@ -4,22 +4,16 @@ import (
 	"fmt"
 	"os"
 	"syscall"
-
-	"github.com/containers/podman/v5/libpod/define"
 )
 
 func setRLimits() error {
 	rlimits := new(syscall.Rlimit)
-	rlimits.Cur = define.RLimitDefaultValue
-	rlimits.Max = define.RLimitDefaultValue
+	if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
+		return fmt.Errorf("getting rlimits: %w", err)
+	}
+	rlimits.Cur = rlimits.Max
 	if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
-		if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
-			return fmt.Errorf("getting rlimits: %w", err)
-		}
-		rlimits.Cur = rlimits.Max
-		if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
-			return fmt.Errorf("setting new rlimits: %w", err)
-		}
+		return fmt.Errorf("setting new rlimits: %w", err)
 	}
 	return nil
 }

diff --git a/test/system/030-run.bats b/test/system/030-run.bats
@@ -1303,6 +1303,32 @@ EOF
     is "$output" "Error: ulimit option \"core=-1:1000\" requires name=SOFT:HARD, failed to be parsed: ulimit soft limit must be less than or equal to hard limit: soft: -1 (unlimited), hard: 1000"
 }
 
+# bats test_tags=ci:parallel
+@test "podman run - can use maximum ulimit value" {
+    skip_if_remote "cannot check local ulimits with podman remote"
+    run ulimit -n -H
+    max=$output
+    run_podman run --rm --ulimit=nofile=$max:$max $IMAGE sh -c 'ulimit -n -H'
+    is "$output" "$max" "wrong ulimit value"
+
+    run_podman run --rm $IMAGE sh -c 'ulimit -n -H'
+    default_value=$output
+
+    # Set the current ulimit smaller than the default value
+    ulimit -n -H $((default_value - 1))
+
+    run_podman run --rm $IMAGE sh -c 'ulimit -n -H'
+
+    if is_rootless; then
+        # verify that the value was clamped to the maximum allowed
+        is "$output" "$(ulimit -n -H)" "wrong ulimit value"
+    else
+        # when running as root check that the current environment does not affect
+        # the ulimit set inside the container.
+        is "$output" "$default_value" "wrong ulimit value"
+    fi
+}
+
 # bats test_tags=ci:parallel
 @test "podman run bad --name" {
     randomname=c_$(safename)