Always try to set nofile limit

Try to set nofile limit to RLimitDefaultValue - this could potentially increase the limit past the current hard limit in non-rootless environments. This makes buildah behaviour match podman when a non-rootless environment has lower limits set. Signed-off-by: Chris Reeves <[email protected]>
containers · Jun 17, 2024 · e927352 · e927352
1 parent 4cbb95d
commit e927352
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 3 deletions.
diff --git a/run_linux.go b/run_linux.go
@@ -1003,10 +1003,21 @@ func addRlimits(ulimit []string, g *generate.Generator, defaultUlimits []string)
 		g.AddProcessRlimits("RLIMIT_"+strings.ToUpper(ul.Name), uint64(ul.Hard), uint64(ul.Soft))
 	}
 	if !nofileSet {
-		// For nofile, podman sets both hard and soft limits to min(hard limit, RLimitDefaultValue)
-		// regardless of rootlessness (see cmd/podman/early_init_linux.go).
-		max := define.RLimitDefaultValue
+		// For nofile, podman first tries to set both the hard and soft limits for the current
+		// process to RLimitDefaultValue - this will be successful in most (but not all)
+		// non-rootless environments. If this fails (e.g. in a rootless environment) it will ensure
+		// that the soft limit for the current process is increased to match the hard limit (see
+		// cmd/podman/early_init_linux.go). We simply fire and forget the call to Setrlimit() here,
+		// because if it fails we effectively handle setting soft to hard in the call to
+		// AddProcessRlimits() later on.
 		var rlimit unix.Rlimit
+		rlimit.Cur = define.RLimitDefaultValue
+		rlimit.Max = define.RLimitDefaultValue
+		unix.Setrlimit(unix.RLIMIT_NOFILE, &rlimit)
+
+		// Set both hard and soft limits to min(hard limit, RLimitDefaultValue) regardless of
+		// rootlessness.
+		max := define.RLimitDefaultValue
 		if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err == nil {
 			if rlimit.Max < max {
 				max = rlimit.Max

diff --git a/tests/run.bats b/tests/run.bats
@@ -524,6 +524,11 @@ function configure_and_check_user() {
 
 	_prefetch alpine
 
+	# drop limits prior to tests - this tests the ability of non-rootless containers to increase
+	# file limits to match those of podman
+	ulimit -S -n 1024
+	ulimit -H -n 1024
+
 	run_buildah from --quiet --pull=false $WITH_POLICY_JSON alpine
 	cid=$output
 	run podman run --rm alpine sh -c "awk '/open files/{print \$4 \"/\" \$5}' /proc/self/limits"