libcontainer:clean cached rlimit nofile in go runtime

As reported in issue opencontainers#4195, the new version of go runtime will cache rlimit-nofile. before executing exec, the rlimit-nofile of the process will be updated with the cache. in runc, this will cause the rlimit-nofile set by the parent process for the container to become invalid. this can be solved by clearing the cache. Signed-off-by: ls-ggg <335814617@qq.com>
ls-ggg · Apr 2, 2024 · d0dbf90 · d0dbf90
1 parent 4641f17
commit d0dbf90
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 0 deletions.
diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
@@ -49,6 +49,11 @@ func (l *linuxSetnsInit) Init() error {
 			}
 		}
 	}
+
+	if err := utils.CleanRlimitNoFileCache(); err != nil {
+		return err
+	}
+
 	if l.config.CreateConsole {
 		if err := setupConsole(l.consoleSocket, l.config, false); err != nil {
 			return err

diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
@@ -77,6 +77,10 @@ func (l *linuxStandardInit) Init() error {
 		}
 	}
 
+	if err := utils.CleanRlimitNoFileCache(); err != nil {
+		return err
+	}
+
 	if err := setupNetwork(l.config); err != nil {
 		return err
 	}

diff --git a/libcontainer/utils/utils.go b/libcontainer/utils/utils.go
@@ -7,6 +7,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"syscall"
 	"unsafe"
 
 	"golang.org/x/sys/unix"
@@ -129,3 +130,13 @@ func Annotations(labels []string) (bundle string, userAnnotations map[string]str
 	}
 	return
 }
+
+// Clean the cache of RLIMIT_NOFILE in go runtime
+// https://github.com/golang/go/commit/f5eef58e4381259cbd84b3f2074c79607fb5c821#diff-ec665e9789f8cf5cd1828ad7fa9f0ff4ebc1f5b5dd0fc82a296da5c07da7ece6
+func CleanRlimitNoFileCache() error {
+	rlimit := syscall.Rlimit{}
+	if err := syscall.Getrlimit(syscall.RLIMIT_NOFILE, &rlimit); err != nil {
+		return err
+	}
+	return syscall.Setrlimit(syscall.RLIMIT_NOFILE, &rlimit)
+}
diff --git a/tests/integration/resources.bats b/tests/integration/resources.bats
@@ -0,0 +1,22 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function setup() {
+	setup_busybox
+	update_config '.process.args = ["/bin/sh", "-c", "ulimit -n"]'
+}
+
+function teardown() {
+	teardown_bundle
+}
+
+@test "runc run with RLIMIT_NOFILE" {
+	update_config '.process.capabilities.bounding = ["CAP_RESOURCE"]'
+	update_config '.process.rlimits = [{"type": "RLIMIT_NOFILE", "hard": 10000, "soft": 10000}]'
+
+	runc run test_hello
+	[ "$status" -eq 0 ]
+
+	[[ "${output}" == *"10000"* ]]
+}