'--ulimit host' permits more open files in the container #17681
Labels
kind/bug
Categorizes issue or PR as related to a bug.
locked - please file new issue/PR
Assist humans wanting to comment on an old issue or PR with locked comments.
Comments
|
this is caused by: https://github.com/containers/podman/blob/main/cmd/podman/early_init_linux.go#L19 we raise the soft limit to not hit the limit in Podman itself. Is it causing any issue? |
|
Thanks for tracking that down, @giuseppe ! No, I am not aware of any problems caused by it at the moment. I noticed it in passing when debugging something else, and decided to file an issue just in case this wasn't intentional. Feel free to close this issue, if you want to. :) |
|
Recently, @bilelmoussaoui ran into problems with the higher number of permitted file descriptors (ie., |
debarshiray
added a commit
to debarshiray/toolbox
that referenced
this issue
Jun 30, 2023
Note that the soft limit for the number of open file descriptors cannot be tested at the moment because Podman sets the Toolbx container to have a value higher than the host's [1]. [1] containers/podman#17681 containers#213
debarshiray
added a commit
to debarshiray/toolbox
that referenced
this issue
Jun 30, 2023
Note that the soft limit for the maximum number of open file descriptors cannot be tested at the moment because Podman sets the Toolbx container to have a value higher than the host's [1]. [1] containers/podman#17681 containers#213
debarshiray
added a commit
to debarshiray/toolbox
that referenced
this issue
Jul 1, 2023
Note that the soft limit for the maximum number of open file descriptors cannot be tested at the moment because Podman sets the Toolbx container to have a value higher than the host's [1]. [1] containers/podman#17681 containers#213
debarshiray
added a commit
to debarshiray/toolbox
that referenced
this issue
Jul 1, 2023
Note that the soft limit for the maximum number of open file descriptors cannot be tested at the moment because Podman sets the Toolbx container to have a value higher than the host's [1]. [1] containers/podman#17681 containers#213
debarshiray
added a commit
to debarshiray/toolbox
that referenced
this issue
Jul 1, 2023
Podman sets the Toolbx container's soft limit for the maximum number of open file descriptors to the host's hard limit, which is often greater than the host's soft limit. [1] containers/podman#17681 containers#213
debarshiray
added a commit
to debarshiray/toolbox
that referenced
this issue
Jul 1, 2023
Podman sets the Toolbx container's soft limit for the maximum number of open file descriptors to the host's hard limit, which is often greater than the host's soft limit [1]. [1] containers/podman#17681 containers#213
debarshiray
added a commit
to debarshiray/toolbox
that referenced
this issue
Jul 4, 2023
The following caveats must be noted:
* Podman sets the Toolbx container's soft limit for the maximum number
of open file descriptors to the host's hard limit, which is often
greater than the host's soft limit [1].
* The ulimit(1) options -b, -k, P and -T don't work on Fedora 38
because the corresponding resource arguments for getrlimit(2) are
absent from the operating system. These are RLIMIT_SBSIZE,
RLIMIT_KQUEUES, RLIMIT_NPTS and RLIMIT_PTHREAD respectively.
[1] containers/podman#17681
containers#213
debarshiray
added a commit
to debarshiray/toolbox
that referenced
this issue
Jul 4, 2023
The following caveats must be noted:
* Podman sets the Toolbx container's soft limit for the maximum number
of open file descriptors to the host's hard limit, which is often
greater than the host's soft limit [1].
* The ulimit(1) options -P, -T, -b, and -k don't work on Fedora 38
because the corresponding resource arguments for getrlimit(2) are
absent from the operating system. These are RLIMIT_NPTS,
RLIMIT_PTHREAD, RLIMIT_SBSIZE and RLIMIT_KQUEUES respectively.
[1] containers/podman#17681
containers#213
github-actions
bot
added
the
locked - please file new issue/PR
debarshiray
added a commit
to debarshiray/podman
that referenced
this issue
Oct 11, 2024
Starting from commit 9126b45 ("Up default Podman rlimits to avoid max open files"), Podman started bumping its soft limit for the maximum number of open file descriptors (RLIMIT_NOFILE or ulimit -n) to permit exposing a large number of ports to a container. This was later fine-tuned in commit a2c1a2d ("podman: bump RLIMIT_NOFILE also without CAP_SYS_RESOURCE"). Unfortunately, this also increases the limits for 'podman exec' sessions running in containers created with: $ podman create --network host --ulimit host ... This is what Toolbx uses to provide a containerized interactive command line environment for software development and troubleshooting the host operating system. It confuses developers and system administrators debugging a process that's leaking file descriptors and crashing on the host OS. The crashes either don't reproduce inside the container or they take a lot longer to reproduce, both of which are frustrating. Therefore, it will be good to retain the limits, at least for this specific scenario. It turns out that since this code was written, the Go runtime has had two interesting changes. Starting from Go 1.19 [1], the Go runtime bumps the soft limit for RLIMIT_NOFILE for all Go programs [2]. This means that there's no longer any need for Podman to bump it's own limits, because it switched from requiring Go 1.18 to 1.20 in commit 4dd58f2 ("Move golang requirement from 1.18 to 1.20"). It's probably good to still log the detected limits, in case Go's behaviour changes. Not everybody was happy with this [3], because the higher limits got propagated to child processes spawned by Go programs. Among other things, this can break old programs using select(2) [4]. So, Go's behaviour was fine-tuned to restore the original soft limit for RLIMIT_NOFILE when forking a child process [5]. With these two changes in Go, which Podman already uses, if the bumping of RLIMIT_NOFILE is left to the Go runtime, then the limits are no longer increased for 'podman exec' sesssions. Otherwise, if Podman continues to bump the soft limit for RLIMIT_NOFILE on its own, then it prevents the Go runtime from restoring the original limits when forking, and leads to the higher limits in 'podman exec' sessions. Note that this doesn't impact the resource limits for the container's entry point, and 'podman exec' sessions continue to respect any limits that were explicitly set with the --ulimit option. Arguably, users deploying server-side applications in Podman containers predominantly use the entry point through 'podman run', and they can continue unimpacted, and Toolbx users can keep using 'podman exec' without any surprises. The existing 'podman run --ulimit host ... ulimit -Hn' test in test/e2e/run_test.go was extended to also check the soft limit. The similar test for 'podman exec' was moved from test/e2e/toolbox_test.go to test/e2e/exec_test.go for consistency and because there's nothing Toolbx specific about it. The test was similarly extended, and updated to be more idiomatic. Note that the Alpine Linux image doesn't have a standalone binary for 'ulimit' and it's picky about the order in which the options are listed. The -H or -S must come first, followed by a space, and then the -n. [1] https://go.dev/doc/go1.19#runtime [2] Go commit 8427429c592588af ("os: raise open file rlimit at startup") golang/go@8427429c592588af golang/go#46279 [3] containerd/containerd#8249 [4] http://0pointer.net/blog/file-descriptor-limits.html [5] Go commit f5eef58e4381259c ("syscall: restore original NOFILE ...") golang/go@f5eef58e4381259c golang/go#46279 Fixes: containers#17681 Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
debarshiray
added a commit
to debarshiray/podman
that referenced
this issue
Oct 11, 2024
Starting from commit 9126b45 ("Up default Podman rlimits to avoid max open files"), Podman started bumping its soft limit for the maximum number of open file descriptors (RLIMIT_NOFILE or ulimit -n) to permit exposing a large number of ports to a container. This was later fine-tuned in commit a2c1a2d ("podman: bump RLIMIT_NOFILE also without CAP_SYS_RESOURCE"). Unfortunately, this also increases the limits for 'podman exec' sessions running in containers created with: $ podman create --network host --ulimit host ... This is what Toolbx uses to provide a containerized interactive command line environment for software development and troubleshooting the host operating system. It confuses developers and system administrators debugging a process that's leaking file descriptors and crashing on the host OS. The crashes either don't reproduce inside the container or they take a lot longer to reproduce, both of which are frustrating. Therefore, it will be good to retain the limits, at least for this specific scenario. It turns out that since this code was written, the Go runtime has had two interesting changes. Starting from Go 1.19 [1], the Go runtime bumps the soft limit for RLIMIT_NOFILE for all Go programs [2]. This means that there's no longer any need for Podman to bump it's own limits, because it switched from requiring Go 1.18 to 1.20 in commit 4dd58f2 ("Move golang requirement from 1.18 to 1.20"). It's probably good to still log the detected limits, in case Go's behaviour changes. Not everybody was happy with this [3], because the higher limits got propagated to child processes spawned by Go programs. Among other things, this can break old programs using select(2) [4]. So, Go's behaviour was fine-tuned to restore the original soft limit for RLIMIT_NOFILE when forking a child process [5]. With these two changes in Go, which Podman already uses, if the bumping of RLIMIT_NOFILE is left to the Go runtime, then the limits are no longer increased for 'podman exec' sessions. Otherwise, if Podman continues to bump the soft limit for RLIMIT_NOFILE on its own, then it prevents the Go runtime from restoring the original limits when forking, and leads to the higher limits in 'podman exec' sessions. Note that this doesn't impact the resource limits for the container's entry point, and 'podman exec' sessions continue to respect any limits that were explicitly set with the --ulimit option. Arguably, users deploying server-side applications in Podman containers predominantly use the entry point through 'podman run', and they can continue unimpacted, and Toolbx users can keep using 'podman exec' without any surprises. The existing 'podman run --ulimit host ... ulimit -Hn' test in test/e2e/run_test.go was extended to also check the soft limit. The similar test for 'podman exec' was moved from test/e2e/toolbox_test.go to test/e2e/exec_test.go for consistency and because there's nothing Toolbx specific about it. The test was similarly extended, and updated to be more idiomatic. Note that the Alpine Linux image doesn't have a standalone binary for 'ulimit' and it's picky about the order in which the options are listed. The -H or -S must come first, followed by a space, and then the -n. [1] https://go.dev/doc/go1.19#runtime [2] Go commit 8427429c592588af ("os: raise open file rlimit at startup") golang/go@8427429c592588af golang/go#46279 [3] containerd/containerd#8249 [4] http://0pointer.net/blog/file-descriptor-limits.html [5] Go commit f5eef58e4381259c ("syscall: restore original NOFILE ...") golang/go@f5eef58e4381259c golang/go#46279 Fixes: containers#17681 Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
debarshiray
added a commit
to debarshiray/podman
that referenced
this issue
Oct 11, 2024
Starting from commit 9126b45 ("Up default Podman rlimits to avoid max open files"), Podman started bumping its soft limit for the maximum number of open file descriptors (RLIMIT_NOFILE or ulimit -n) to permit exposing a large number of ports to a container. This was later fine-tuned in commit a2c1a2d ("podman: bump RLIMIT_NOFILE also without CAP_SYS_RESOURCE"). Unfortunately, this also increases the limits for 'podman exec' sessions running in containers created with: $ podman create --network host --ulimit host ... This is what Toolbx uses to provide a containerized interactive command line environment for software development and troubleshooting the host operating system. It confuses developers and system administrators debugging a process that's leaking file descriptors and crashing on the host OS. The crashes either don't reproduce inside the container or they take a lot longer to reproduce, both of which are frustrating. Therefore, it will be good to retain the limits, at least for this specific scenario. It turns out that since this code was written, the Go runtime has had two interesting changes. Starting from Go 1.19 [1], the Go runtime bumps the soft limit for RLIMIT_NOFILE for all Go programs [2]. This means that there's no longer any need for Podman to bump it's own limits, because it switched from requiring Go 1.18 to 1.20 in commit 4dd58f2 ("Move golang requirement from 1.18 to 1.20"). It's probably good to still log the detected limits, in case Go's behaviour changes. Not everybody was happy with this [3], because the higher limits got propagated to child processes spawned by Go programs. Among other things, this can break old programs using select(2) [4]. So, Go's behaviour was fine-tuned to restore the original soft limit for RLIMIT_NOFILE when forking a child process [5]. With these two changes in Go, which Podman already uses, if the bumping of RLIMIT_NOFILE is left to the Go runtime, then the limits are no longer increased for 'podman exec' sessions. Otherwise, if Podman continues to bump the soft limit for RLIMIT_NOFILE on its own, then it prevents the Go runtime from restoring the original limits when forking, and leads to the higher limits in 'podman exec' sessions. Note that this doesn't impact the resource limits for the container's entry point, and 'podman exec' sessions continue to respect any limits that were explicitly set with the --ulimit option. Arguably, users deploying server-side applications in Podman containers predominantly use the entry point through 'podman run', and they can continue unimpacted, and Toolbx users can keep using 'podman exec' without any surprises. The existing 'podman run --ulimit host ... ulimit -Hn' test in test/e2e/run_test.go was extended to also check the soft limit. The similar test for 'podman exec' was moved from test/e2e/toolbox_test.go to test/e2e/exec_test.go for consistency and because there's nothing Toolbx specific about it. The test was similarly extended, and updated to be more idiomatic. Note that the Alpine Linux image doesn't have a standalone binary for 'ulimit' and it's picky about the order in which the options are listed. The -H or -S must come first, followed by a space, and then the -n. [1] https://go.dev/doc/go1.19#runtime [2] Go commit 8427429c592588af ("os: raise open file rlimit at startup") golang/go@8427429c592588af golang/go#46279 [3] containerd/containerd#8249 [4] http://0pointer.net/blog/file-descriptor-limits.html [5] Go commit f5eef58e4381259c ("syscall: restore original NOFILE ...") golang/go@f5eef58e4381259c golang/go#46279 Fixes: containers#17681 Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
debarshiray
added a commit
to debarshiray/podman
that referenced
this issue
Oct 14, 2024
Starting from commit 9126b45 ("Up default Podman rlimits to avoid max open files"), Podman started bumping its soft limit for the maximum number of open file descriptors (RLIMIT_NOFILE or ulimit -n) to permit exposing a large number of ports to a container. This was later fine-tuned in commit a2c1a2d ("podman: bump RLIMIT_NOFILE also without CAP_SYS_RESOURCE"). Unfortunately, this also increases the limits for 'podman exec' sessions running in containers created with: $ podman create --network host --ulimit host ... This is what Toolbx uses to provide a containerized interactive command line environment for software development and troubleshooting the host operating system. It confuses developers and system administrators debugging a process that's leaking file descriptors and crashing on the host OS. The crashes either don't reproduce inside the container or they take a lot longer to reproduce, both of which are frustrating. Therefore, it will be good to retain the limits, at least for this specific scenario. It turns out that since this code was written, the Go runtime has had two interesting changes. Starting from Go 1.19 [1], the Go runtime bumps the soft limit for RLIMIT_NOFILE for all Go programs [2]. This means that there's no longer any need for Podman to bump it's own limits, because it switched from requiring Go 1.18 to 1.20 in commit 4dd58f2 ("Move golang requirement from 1.18 to 1.20"). It's probably good to still log the detected limits, in case Go's behaviour changes. Not everybody was happy with this [3], because the higher limits got propagated to child processes spawned by Go programs. Among other things, this can break old programs using select(2) [4]. So, Go's behaviour was fine-tuned to restore the original soft limit for RLIMIT_NOFILE when forking a child process [5]. With these two changes in Go, which Podman already uses, if the bumping of RLIMIT_NOFILE is left to the Go runtime, then the limits are no longer increased for 'podman exec' sessions. Otherwise, if Podman continues to bump the soft limit for RLIMIT_NOFILE on its own, then it prevents the Go runtime from restoring the original limits when forking, and leads to the higher limits in 'podman exec' sessions. The existing 'podman run --ulimit host ... ulimit -Hn' test in test/e2e/run_test.go was extended to also check the soft limit. The similar test for 'podman exec' was moved from test/e2e/toolbox_test.go to test/e2e/exec_test.go for consistency and because there's nothing Toolbx specific about it. The test was similarly extended, and updated to be more idiomatic. Due to the behaviour of the Go runtime noted above, and since the tests are written in Go, the current or soft limit for RLIMIT_NOFILE returned by syscall.Getrlimit() is the same as the hard limit. The Alpine Linux image doesn't have a standalone binary for 'ulimit' and it's picky about the order in which the options are listed. The -H or -S must come first, followed by a space, and then the -n. [1] https://go.dev/doc/go1.19#runtime [2] Go commit 8427429c592588af ("os: raise open file rlimit at startup") golang/go@8427429c592588af golang/go#46279 [3] containerd/containerd#8249 [4] http://0pointer.net/blog/file-descriptor-limits.html [5] Go commit f5eef58e4381259c ("syscall: restore original NOFILE ...") golang/go@f5eef58e4381259c golang/go#46279 Fixes: containers#17681 Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Issue Description
Compare:
Or:
... and:
Is this expected?
Steps to reproduce the issue
Steps to reproduce the issue
Describe the results you received
ulimit -nhas a higher value inside the container than on the host.Describe the results you expected
I expected
ulimit -nto have the same value inside the container and on the host.podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
Fedora 36 Workstation
Additional information
No response
The text was updated successfully, but these errors were encountered: