Skip to content

Commit

Permalink
libcontainer:clean cached rlimit nofile in go runtime
Browse files Browse the repository at this point in the history
As reported in issue #4195, the new version of go runtime will
cache rlimit-nofile. before executing exec, the rlimit-nofile
of the process will be updated with the cache. in runc, this will
cause the rlimit-nofile set by the parent process for the container
to become invalid. this can be solved by clearing the cache.

Signed-off-by: ls-ggg <[email protected]>
  • Loading branch information
ls-ggg authored and coolli committed Apr 18, 2024
1 parent d0f803e commit 28c5edd
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 0 deletions.
15 changes: 15 additions & 0 deletions libcontainer/setns_init_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"fmt"
"os"
"os/exec"
"syscall"

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.21.x)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.20.x, rootless)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / compile-buildtags

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.20.x)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.21.x, rootless)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.20.x, -race)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.20.x, rootless, -race)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.21.x, rootless, -race)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.20.x, rootless, -race)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / cross-i386

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.20.x, -race)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.20.x, rootless)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.21.x, rootless, -race)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.20.x)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.21.x, criu-dev)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.21.x, rootless)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.21.x)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.21.x, -race)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.21.x, criu-dev)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.21.x, -race)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.21.x, runc_nodmz)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / cross-i386 (runc_nodmz)

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / lint

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / lint

"syscall" imported and not used

Check failure on line 8 in libcontainer/setns_init_linux.go

View workflow job for this annotation

GitHub Actions / lint

"syscall" imported and not used

"github.com/opencontainers/selinux/go-selinux"
"github.com/sirupsen/logrus"
Expand Down Expand Up @@ -49,6 +50,20 @@ func (l *linuxSetnsInit) Init() error {
}
}
}

// Set RLIMIT_NOFILE again to refresh the cache in go runtime
// The problem originates from https://github.com/golang/go/commit/f5eef58e4381259cbd84b3f2074c79607fb5c821
for _, rlimit := range l.config.Rlimits {
if rlimit.Type == unix.RLIMIT_NOFILE {
if err := unix.Setrlimit(rlimit.Type, &unix.Rlimit{
Cur: rlimit.Soft,
Max: rlimit.Hard,
}); err != nil {
return fmt.Errorf("failed to re-apply nofile rlimit: %w", err)
}
}
}

if l.config.CreateConsole {
if err := setupConsole(l.consoleSocket, l.config, false); err != nil {
return err
Expand Down
13 changes: 13 additions & 0 deletions libcontainer/standard_init_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"fmt"
"os"
"os/exec"
"syscall"

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.21.x)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.20.x, rootless)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / compile-buildtags

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.20.x)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.21.x, rootless)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.20.x, -race)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.20.x, rootless, -race)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.21.x, rootless, -race)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.20.x, rootless, -race)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / cross-i386

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.20.x, -race)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.20.x, rootless)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.21.x, rootless, -race)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.20.x)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.21.x, criu-dev)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.21.x, rootless)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.21.x)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.21.x, -race)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.21.x, criu-dev)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-20.04, 1.21.x, -race)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / test (ubuntu-22.04, 1.21.x, runc_nodmz)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / cross-i386 (runc_nodmz)

"syscall" imported and not used

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / lint

"syscall" imported and not used) (typecheck)

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / lint

"syscall" imported and not used (typecheck)

Check failure on line 8 in libcontainer/standard_init_linux.go

View workflow job for this annotation

GitHub Actions / lint

"syscall" imported and not used) (typecheck)

"github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux"
Expand Down Expand Up @@ -76,6 +77,18 @@ func (l *linuxStandardInit) Init() error {
}
}
}
// Set RLIMIT_NOFILE again to refresh the cache in go runtime
// The problem originates from https://github.com/golang/go/commit/f5eef58e4381259cbd84b3f2074c79607fb5c821
for _, rlimit := range l.config.Rlimits {
if rlimit.Type == unix.RLIMIT_NOFILE {
if err := unix.Setrlimit(rlimit.Type, &unix.Rlimit{
Cur: rlimit.Soft,
Max: rlimit.Hard,
}); err != nil {
return fmt.Errorf("failed to re-apply nofile rlimit: %w", err)
}
}
}

if err := setupNetwork(l.config); err != nil {
return err
Expand Down
22 changes: 22 additions & 0 deletions tests/integration/resources.bats
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
#!/usr/bin/env bats

load helpers

function setup() {
setup_busybox
}

function teardown() {
teardown_bundle
}

@test "runc run with RLIMIT_NOFILE" {
update_config '.process.args = ["/bin/sh", "-c", "ulimit -n"]'
update_config '.process.capabilities.bounding = ["CAP_SYS_RESOURCE"]'
update_config '.process.rlimits = [{"type": "RLIMIT_NOFILE", "hard": 10000, "soft": 10000}]'

runc run test_hello
[ "$status" -eq 0 ]

[[ "${output}" == "10000" ]]
}

0 comments on commit 28c5edd

Please sign in to comment.