zishuo/runc
1
0
Fork 0
mirror of https://github.com/opencontainers/runc.git synced 2025-10-07 00:12:53 +08:00
Code Issues Packages Projects Releases Wiki Activity

libct: clean cached rlimit nofile in go runtime

Browse Source 
As reported in issue #4195, the new version(since 1.19) of go runtime
will cache rlimit-nofile. Before executing execve, the rlimit-nofile
of the process will be restored with the cache. In runc, this will
cause the rlimit-nofile set by the parent process for the container
to become invalid. It can be solved by clearing the cache.

Signed-off-by: ls-ggg <335814617@qq.com>
(cherry picked from commit f9f8abf310)
Signed-off-by: lifubang <lifubang@acmcoder.com>
This commit is contained in:
ls-ggg
2024-03-29 18:12:08 +08:00
committed by lfbzhm
parent a853a82677
commit da68c8e37b
3 changed files with 31 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
libcontainer/init_linux.go
View File

@@ -223,6 +223,12 @@ func containerInit(t initType, config *initConfig, pipe *syncSocket, consoleSock
return err return err
} }
// Clean the RLIMIT_NOFILE cache in go runtime.
// Issue: https://github.com/opencontainers/runc/issues/4195
if containsRlimit(config.Rlimits, unix.RLIMIT_NOFILE) {
system.ClearRlimitNofileCache()
}
switch t { switch t {
case initSetns: case initSetns:
i := &linuxSetnsInit{ i := &linuxSetnsInit{
@@ -649,6 +655,15 @@ func setupRoute(config *configs.Config) error {
return nil return nil
} }
func containsRlimit(limits []configs.Rlimit, resource int) bool {
for _, rlimit := range limits {
if rlimit.Type == resource {
return true
}
}
return false
}
func setupRlimits(limits []configs.Rlimit, pid int) error { func setupRlimits(limits []configs.Rlimit, pid int) error {
for _, rlimit := range limits { for _, rlimit := range limits {
if err := unix.Prlimit(pid, rlimit.Type, &unix.Rlimit{Max: rlimit.Hard, Cur: rlimit.Soft}, nil); err != nil { if err := unix.Prlimit(pid, rlimit.Type, &unix.Rlimit{Max: rlimit.Hard, Cur: rlimit.Soft}, nil); err != nil {

1
libcontainer/setns_init_linux.go
View File

@@ -49,6 +49,7 @@ func (l *linuxSetnsInit) Init() error {
} }
} }
} }
if l.config.CreateConsole { if l.config.CreateConsole {
if err := setupConsole(l.consoleSocket, l.config, false); err != nil { if err := setupConsole(l.consoleSocket, l.config, false); err != nil {
return err return err

15
libcontainer/system/linux.go
View File

@@ -8,6 +8,7 @@ import (
"io" "io"
"os" "os"
"strconv" "strconv"
"sync/atomic"
"syscall" "syscall"
"unsafe" "unsafe"
@@ -15,6 +16,20 @@ import (
"golang.org/x/sys/unix" "golang.org/x/sys/unix"
) )
//go:linkname syscallOrigRlimitNofile syscall.origRlimitNofile
var syscallOrigRlimitNofile atomic.Pointer[syscall.Rlimit]
// As reported in issue #4195, the new version of go runtime(since 1.19)
// will cache rlimit-nofile. Before executing execve, the rlimit-nofile
// of the process will be restored with the cache. In runc, this will
// cause the rlimit-nofile setting by the parent process for the container
// to become invalid. It can be solved by clearing this cache. But
// unfortunately, go stdlib doesn't provide such function, so we need to
// link to the private var `origRlimitNofile` in package syscall to hack.
func ClearRlimitNofileCache() {
syscallOrigRlimitNofile.Store(nil)
}
type ParentDeathSignal int type ParentDeathSignal int
func (p ParentDeathSignal) Restore() error { func (p ParentDeathSignal) Restore() error {