Set rlimits using prlimit in parent #687
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes opencontainers#680 This changes setupRlimit to use the Prlimit syscall (rather than Setrlimit) and moves the call to the parent process. This is necessary because Setrlimit would affect the libcontainer consumer if called in the parent, and would fail if called from the child if the child process is in a user namespace and the requested rlimit is higher than that in the parent. Signed-off-by: Julian Friedman <[email protected]>
Member
|
LGTM nice one! |
| } | ||
|
|
||
| func Prlimit(pid, resource int, limit syscall.Rlimit) error { | ||
| _, _, err := syscall.RawSyscall6(syscall.SYS_PRLIMIT64, uintptr(pid), uintptr(resource), uintptr(unsafe.Pointer(&limit)), uintptr(unsafe.Pointer(&limit)), 0, 0) |
Contributor
There was a problem hiding this comment.
Is there a version that works for both 32/64 bit?
Contributor
There was a problem hiding this comment.
@mrunalp seems like golang 386 package uses the same call also for 386 architectures (https://golang.org/src/syscall/zsyscall_linux_386.go?h=prlimit#L766)
Contributor
There was a problem hiding this comment.
Thanks!
Sent from my iPhone
On Mar 25, 2016, at 6:08 PM, Marcos Nils [email protected] wrote:
In libcontainer/system/linux.go:
@@ -53,6 +53,14 @@ func Execv(cmd string, args []string, env []string) error {
return syscall.Exec(name, args, env)
}+func Prlimit(pid, resource int, limit syscall.Rlimit) error {
- _, _, err := syscall.RawSyscall6(syscall.SYS_PRLIMIT64, uintptr(pid), uintptr(resource), uintptr(unsafe.Pointer(&limit)), uintptr(unsafe.Pointer(&limit)), 0, 0)
@mrunalp seems like golang 386 package uses the same call also for 386 architectures (https://golang.org/src/syscall/zsyscall_linux_386.go?h=prlimit#L766)—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
Contributor
|
LGTM |
stefanberger
pushed a commit
to stefanberger/runc
that referenced
this pull request
Sep 8, 2017
make link usage consistent across the specification
stefanberger
pushed a commit
to stefanberger/runc
that referenced
this pull request
Sep 8, 2017
Unwind an overly-aggressive backtick replacement from f9dc90b (make link usage consistent across the specification, 2017-02-09, opencontainers#687). Signed-off-by: W. Trevor King <[email protected]>
stefanberger
pushed a commit
to stefanberger/runc
that referenced
this pull request
Sep 8, 2017
Through d87ec69 (Merge pull request opencontainers#687 from jlbutler/link-cleanup-676, 2017-03-03). Signed-off-by: W. Trevor King <[email protected]>
stefanberger
pushed a commit
to stefanberger/runc
that referenced
this pull request
Sep 8, 2017
This was broken by f9dc90b (make link usage consistent across the specification, 2017-02-09, opencontainers#687), which updated the link label, but not this link. Now that the link label matches the link text, we can use the implicit link name shortcut [1]. [1]: https://daringfireball.net/projects/markdown/syntax#link Signed-off-by: W. Trevor King <[email protected]>
stefanberger
pushed a commit
to stefanberger/runc
that referenced
this pull request
Sep 8, 2017
These were added in f9dc90b (make link usage consistent across the specification, 2017-08-09, opencontainers#687) to follow the new _N name-dedup policy discussed in style.md. They were removed in ea65eb3 (config-solaris.md: fix info, 2017-04-28, opencontainers#786), overlooking that policy. This commit brings them back. Signed-off-by: W. Trevor King <[email protected]>
stefanberger
pushed a commit
to stefanberger/runc
that referenced
this pull request
Sep 8, 2017
Since f9dc90b (make link usage consistent across the specification, 2017-02-09, opencontainers#687), the official style is to only use reference-style links for external links. I expect the remaining three entries just slipped through. This commit adjusts everything found with: $ git grep ']: [a-z]' | grep -v http It also fixes the underscore -> hyphen in the glossary.md#container-namespace target and updates the capabilities location to catch up with 5a8a779 (Move process specific settings to process, 2016-03-02, opencontainers#329). Signed-off-by: W. Trevor King <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #680
This changes setupRlimit to use the Prlimit syscall (rather than
Setrlimit) and moves the call to the parent process. This is necessary
because Setrlimit would affect the libcontainer consumer if called in
the parent, and would fail if called from the child if the
child process is in a user namespace and the requested rlimit is higher
than that in the parent.
Signed-off-by: Julian Friedman [email protected]