podman: do not set rlimits to the default value #24228
Conversation
openshift-ci
bot
added
release-note-none
approved
|
This fails as root under old-podman, passes root+rootless with new-podman: # #24228: podman used to set this to hardcoded value, ignoring current settings
# bats test_tags=ci:parallel
@test "podman run - can use maximum ulimit value" {
skip_if_remote "cannot check local ulimits with podman remote"
run -0 ulimit -n -H
max=$output
oldmax=$max
# This test is more meaningful when root
if ! is_rootless; then
max=$((max + $RANDOM))
ulimit -n -H $max
fi
run_podman run --rm $IMAGE sh -c 'ulimit -n -H'
assert "$output" = "$max" "podman inherits parent ulimit"
ulimit -n -H $oldmax
}I removed the command-line I also noticed that, on my f40 system, this reduces the default root setting for podman: $ for i in /usr/bin/podman bin/podman; do sudo $i run --rm quay.io/libpod/testimage:20241010 sh -c 'ulimit -n -H';done
1048576
524288Could that be considered a breaking change? |
The --ulimit is needed here, the point is podman has a default limit that it sets for rootless containers (up to 1048576) even when the host allows more. So the point here is that if your host has more than that --ulimit must be able to set that value and should not be capped at 1048576 (default). This did not work because the podman init code capped the limit at 1048576 thus the bug report. And this only fails as rootless with limit higher than 1048576 because rootful has CAP_SYS_RESOURCE and can increase the limit higher all it wants. We would need to bump the ulimit for our rootless CI user > 1048576 in order for this to even be testable. What I do not get is a we do not document this rootless default and rootful seems to inherit and not use the 1048576 number but I am not sure why? |
Thanks for noticing it. Yes, I think this should not happen. I'll take a look |
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
|
Okay, I have a 1mt with and: # ulimit -n -H
12345678
# for i in /usr/bin/podman bin/podman; do $i run --rm quay.io/libpod/testimage:20241010 sh -c 'ulimit -n -H';done
1048576 <<< expected
12345678 <<< expected
$ ulimit -n -H
12345678
$ for i in /usr/bin/podman bin/podman; do $i run --rm quay.io/libpod/testimage:20241010 sh -c 'ulimit -n -H';done
1048576 <<< expected
1048576 <<< UNEXPECTED but that's probably because Ed is cluelessWith the command-line option, your PR seems to do the right thing: $ for i in /usr/bin/podman bin/podman; do $i run --rm --ulimit=nofile=12345678:12345678 quay.io/libpod/testimage:20241010 sh -c 'ulimit -n -H';done
Error: crun: setrlimit `RLIMIT_NOFILE`: Operation not permitted: OCI permission denied
12345678 |
giuseppe
force-pushed
the
do-not-lower-rlimits
branch
from
47ff5b1 to
88afdbb
Compare
The first version of this PR was not correct, and this is wrong. It must be 1048576 in both cases to honor what the default is. I've changed the behaviour of Podman in the last version to honor the default settings also with root. |
giuseppe
force-pushed
the
do-not-lower-rlimits
branch
from
88afdbb to
8b9ebd5
Compare
|
Please also document in the man page the the default nofile and nproc is 1048576 under the --ulimit option if we now also do this as root. |
giuseppe
force-pushed
the
do-not-lower-rlimits
branch
from
8b9ebd5 to
85fc7f9
Compare
thanks. I've added a note to the documentation but I prefer to not specify their value (if you really want them I can change it again) to not have to worry about them getting out of sync |
|
LGTM |
I think it somewhat important, it is not like we randomly will change the values. Saying look in containers.conf but then thee is nothing in the containers.conf docs is confusing. I think most users really want to know the defaults and we document them in most cases but I am fine with not blocking over this and to merge without it |
|
It would have been nice to have this default documented when I was working through figuring out what was going on here. |
|
fine so I'll add it to the documentation. Before that though, we need containers/common#2199 Not sure why we do that, but it is just wrong IMO: we set it to the maximum value possible, and we change the limits from a library |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
the previous implementation was expecting the rlimits to be set for the entire process and clamping the values only when running as rootless. Change the implementation to always specify the expected values in the OCI spec file and do the clamping only when running as rootless and using the default values. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
since the effect would be to lower the rlimits when their definition is higher than the default value. The test doesn't fail on the previous version, unless the system is configured with a nofile ulimit higher than the default value. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2317721 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
force-pushed
the
do-not-lower-rlimits
branch
from
85fc7f9 to
9e1d001
Compare
giuseppe
added
the
bloat_approved
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
force-pushed
the
do-not-lower-rlimits
branch
from
9e1d001 to
3d57560
Compare
|
vendored the change in c/common and pushed a new version ⬆️ |
|
/hold cancel @containers/podman-maintainers PTAL |
openshift-ci
bot
removed
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, lsm5, Luap99 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
since the effect would be to lower the rlimits when their definition is higher than the default value.
The test doesn't fail on the previous version, unless the system is configured with a nofile ulimit higher than the default value.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2317721
Does this PR introduce a user-facing change?