libcontainer:clean cached rlimit nofile in go runtime

ls-ggg · coolli · commit fa72652d3c3e · 2024-04-18T10:22:26.000+08:00
As reported in issue opencontainers#4195, the new version of go runtime will cache rlimit-nofile. before executing exec, the rlimit-nofile of the process will be updated with the cache. in runc, this will cause the rlimit-nofile set by the parent process for the container to become invalid. this can be solved by clearing the cache. Signed-off-by: ls-ggg <335814617@qq.com>
diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
@@ -49,6 +49,20 @@ func (l *linuxSetnsInit) Init() error {
 			}
 		}
 	}
+
+	// Set RLIMIT_NOFILE again to refresh the cache in go runtime
+	// The problem originates from https://github.com/golang/go/commit/f5eef58e4381259cbd84b3f2074c79607fb5c821
+	for _, rlimit := range l.config.Rlimits {
+		if rlimit.Type == unix.RLIMIT_NOFILE {
+			if err := unix.Setrlimit(rlimit.Type, &unix.Rlimit{
+				Cur: rlimit.Soft,
+				Max: rlimit.Hard,
+			}); err != nil {
+				return fmt.Errorf("failed to re-apply nofile rlimit: %w", err)
+			}
+		}
+	}
+
 	if l.config.CreateConsole {
 		if err := setupConsole(l.consoleSocket, l.config, false); err != nil {
 			return err
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
@@ -76,6 +76,18 @@ func (l *linuxStandardInit) Init() error {
 			}
 		}
 	}
+	// Set RLIMIT_NOFILE again to refresh the cache in go runtime
+	// The problem originates from https://github.com/golang/go/commit/f5eef58e4381259cbd84b3f2074c79607fb5c821
+	for _, rlimit := range l.config.Rlimits {
+		if rlimit.Type == unix.RLIMIT_NOFILE {
+			if err := unix.Setrlimit(rlimit.Type, &unix.Rlimit{
+				Cur: rlimit.Soft,
+				Max: rlimit.Hard,
+			}); err != nil {
+				return fmt.Errorf("failed to re-apply nofile rlimit: %w", err)
+			}
+		}
+	}
 
 	if err := setupNetwork(l.config); err != nil {
 		return err
diff --git a/tests/integration/resources.bats b/tests/integration/resources.bats
@@ -0,0 +1,22 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function setup() {
+	setup_busybox
+}
+
+function teardown() {
+	teardown_bundle
+}
+
+@test "runc run with RLIMIT_NOFILE" {
+	update_config '.process.args = ["/bin/sh", "-c", "ulimit -n"]'
+	update_config '.process.capabilities.bounding = ["CAP_SYS_RESOURCE"]'
+	update_config '.process.rlimits = [{"type": "RLIMIT_NOFILE", "hard": 10000, "soft": 10000}]'
+
+	runc run test_hello
+	[ "$status" -eq 0 ]
+
+	[[ "${output}" == "10000" ]]
+}

Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,18 @@ func (l *linuxStandardInit) Init() error {`
`76`	`76`	`}`
`77`	`77`	`}`
`78`	`78`	`}`
	`79`	`+ // Set RLIMIT_NOFILE again to refresh the cache in go runtime`
	`80`	`+ // The problem originates from https://github.com/golang/go/commit/f5eef58e4381259cbd84b3f2074c79607fb5c821`
	`81`	`+ for _, rlimit := range l.config.Rlimits {`
	`82`	`+ if rlimit.Type == unix.RLIMIT_NOFILE {`
	`83`	`+ if err := unix.Setrlimit(rlimit.Type, &unix.Rlimit{`
	`84`	`+ Cur: rlimit.Soft,`
	`85`	`+ Max: rlimit.Hard,`
	`86`	`+ }); err != nil {`
	`87`	`+ return fmt.Errorf("failed to re-apply nofile rlimit: %w", err)`
	`88`	`+ }`
	`89`	`+ }`
	`90`	`+ }`
`79`	`91`
`80`	`92`	`if err := setupNetwork(l.config); err != nil {`
`81`	`93`	`return err`