libcontainer:clean cached rlimit nofile in go runtime

ls-ggg · ls-ggg · commit 83eebdf8903b · 2024-04-02T13:09:46.000+08:00
As reported in issue opencontainers#4195, the new version of go runtime will cache rlimit-nofile. before executing exec, the rlimit-nofile of the process will be updated with the cache. in runc, this will cause the rlimit-nofile set by the parent process for the container to become invalid. this can be solved by clearing the cache. Signed-off-by: ls-ggg <335814617@qq.com>
diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
@@ -49,6 +49,11 @@ func (l *linuxSetnsInit) Init() error {
 			}
 		}
 	}
+
+	if err := utils.CleanRlimitNoFileCache(); err != nil {
+		return err
+	}
+
 	if l.config.CreateConsole {
 		if err := setupConsole(l.consoleSocket, l.config, false); err != nil {
 			return err
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
@@ -77,6 +77,10 @@ func (l *linuxStandardInit) Init() error {
 		}
 	}
 
+	if err := utils.CleanRlimitNoFileCache(); err != nil {
+		return err
+	}
+
 	if err := setupNetwork(l.config); err != nil {
 		return err
 	}
diff --git a/libcontainer/utils/utils.go b/libcontainer/utils/utils.go
@@ -7,6 +7,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"syscall"
 	"unsafe"
 
 	"golang.org/x/sys/unix"
@@ -129,3 +130,13 @@ func Annotations(labels []string) (bundle string, userAnnotations map[string]str
 	}
 	return
 }
+
+// Clean the cache of RLIMIT_NOFILE in go runtime
+// https://github.com/golang/go/commit/f5eef58e4381259cbd84b3f2074c79607fb5c821#diff-ec665e9789f8cf5cd1828ad7fa9f0ff4ebc1f5b5dd0fc82a296da5c07da7ece6
+func CleanRlimitNoFileCache() error {
+	rlimit := syscall.Rlimit{}
+	if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, &rlimit); err != nil {
+		return err
+	}
+	return syscall.Setrlimit(syscall.RLIMIT_NOFILE, &rlimit)
+}
diff --git a/tests/integration/resources.bats b/tests/integration/resources.bats
@@ -0,0 +1,18 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function setup() {
+	setup_busybox
+	update_config '.process.args = ["/bin/sh", "-c", "ulimit -n"]'
+}
+
+@test "runc run with RLIMIT_NOFILE" {
+	update_config '.process.capabilities.bounding = ["CAP_RESOURCE"]'
+	update_config '.process.rlimits = [{"type": "RLIMIT_NOFILE", "hard": 10000, "soft": 10000}]'
+
+	runc run test_hello
+	[ "$status" -eq 0 ]
+
+	[[ "${output}" == *"10000"* ]]
+}

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,11 @@ func (l *linuxSetnsInit) Init() error {`
`49`	`49`	`}`
`50`	`50`	`}`
`51`	`51`	`}`
	`52`	`+`
	`53`	`+ if err := utils.CleanRlimitNoFileCache(); err != nil {`
	`54`	`+ return err`
	`55`	`+ }`
	`56`	`+`
`52`	`57`	`if l.config.CreateConsole {`
`53`	`58`	`if err := setupConsole(l.consoleSocket, l.config, false); err != nil {`
`54`	`59`	`return err`
Original file line number	Diff line number	Diff line change
`@@ -77,6 +77,10 @@ func (l *linuxStandardInit) Init() error {`
`77`	`77`	`}`
`78`	`78`	`}`
`79`	`79`
	`80`	`+ if err := utils.CleanRlimitNoFileCache(); err != nil {`
	`81`	`+ return err`
	`82`	`+ }`
	`83`	`+`
`80`	`84`	`if err := setupNetwork(l.config); err != nil {`
`81`	`85`	`return err`
`82`	`86`	`}`