pull: error setting new rlimits: operation not permitted #2123
Comments
openshift-ci-robot
added
the
kind/bug
|
Are these numbers too large? Is there a kernel field, we can check to see what the root max is? |
|
or maybe we need CAP_SYS_RESOURCE capability to perform this task; however I'm confused because we ran the process which run podman pull with sudo. |
|
Does the number need to be less then pids_max. |
|
On fresh centos: 32768 So since the value is already set, I wonder why it fails during the pull. |
|
Weird. We could check if the limits are >= 1048576 and only set it in that case. |
|
@giuseppe Any ideas? |
|
EPERM for setrlimit is defined as: The most likely one here seems to be CAP_SYS_RESOURCE, given that we are successfully setting this value at other points (so it's not above NR_OPEN). |
|
Can we easily determine if Podman has CAP_SYS_RESOURCE? |
|
should we just ignore the error? In most cases we don't need so many open files |
|
I'd do something like: diff --git a/cmd/podman/main.go b/cmd/podman/main.go
index 43804ee3..0a9e2c43 100644
--- a/cmd/podman/main.go
+++ b/cmd/podman/main.go
@@ -148,17 +148,17 @@ func main() {
logrus.SetLevel(level)
}
- // Only if not rootless, set rlimits for open files.
- // We open numerous FDs for ports opened
- if !rootless.IsRootless() {
- rlimits := new(syscall.Rlimit)
- rlimits.Cur = 1048576
- rlimits.Max = 1048576
+ rlimits := new(syscall.Rlimit)
+ rlimits.Cur = 1048576
+ rlimits.Max = 1048576
+ if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
+ if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
+ return errors.Wrapf(err, "error getting rlimits")
+ }
+ rlimits.Cur = rlimits.Max
if err := syscall.Setrlimit(syscall.RLIMIT_NOFILE, rlimits); err != nil {
return errors.Wrapf(err, "error setting new rlimits")
}
- } else {
- logrus.Info("running as rootless")
}if you are fine with this approach, I can open a PR |
|
I'd rather just make the Setrlimit error |
We might want to keep |
If we are not able to make arbitrary changes to the RLIMIT_NOFILE when lacking CAP_SYS_RESOURCE, don't fail but bump the limit to the maximum allowed. In this way the same code path works with rootless mode. Closes: containers#2123 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
no, it will work with rootless mode as well, an unprivileged process can still bump its rlimits to max. Opened a PR here: #2126 |
If we are not able to make arbitrary changes to the RLIMIT_NOFILE when lacking CAP_SYS_RESOURCE, don't fail but bump the limit to the maximum allowed. In this way the same code path works with rootless mode. Closes: containers#2123 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
Im fine with this, although add some logging about what happened. At least at the Warn level. |
added the logging |
github-actions
bot
added
the
locked - please file new issue/PR
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Podman fails to pull an image from a local docker-distribution registry (in non-rootless environment).
Steps to reproduce the issue:
Deploy a docker-distribution registry and pull docker.io/tripleomaster/centos-binary-haproxy:current-tripleo.
Now try to pull the container from the registry to local with podman:
podman pull --tls-verify=false 192.168.24.1:8787/tripleomaster/centos-binary-haproxy:current-tripleoDescribe the results you received:
Pull fails with
error setting new rlimits: operation not permittederror.Logs:
http://logs.openstack.org/19/616019/23/check/tripleo-ci-centos-7-containers-multinode/5ad3bd8/logs/undercloud/home/zuul/overcloud_deploy.log.txt.gz#_2019-01-08_21_46_18
Describe the results you expected:
Pull should work, as it does fine with docker pull.
Additional information you deem important (e.g. issue happens only occasionally):
Output of
podman version:Output of
podman info:Additional environment details (AWS, VirtualBox, physical, etc.):
http://logs.openstack.org/19/616019/23/check/tripleo-ci-centos-7-containers-multinode/5ad3bd8/logs/undercloud/var/log/extra/podman/podman_allinfo.log.txt.gz
The text was updated successfully, but these errors were encountered: