Merge pull request #339 from jkl73/setrlimit

[launcher] Increase the max file descriptor

launcher/container_runner.go

@@ -21,6 +21,7 @@ import (
 	"github.com/cenkalti/backoff/v4"
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cio"
+	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/content"
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/oci"
@@ -63,6 +64,10 @@ const (
 	snapshotID  = "tee-snapshot"
 )
 
+const (
+	nofile = 131072 // Max number of file descriptor
+)
+
 const (
 	// defaultRefreshMultiplier is a multiplier on the current token expiration
 	// time, at which the refresher goroutine will collect a new token.
@@ -150,6 +155,12 @@ func NewRunner(ctx context.Context, cdClient *containerd.Client, token oauth2.To
 		return nil, &RetryableError{fmt.Errorf("cannot get hostname: [%w]", err)}
 	}
 
+	rlimits := []specs.POSIXRlimit{{
+		Type: "RLIMIT_NOFILE",
+		Hard: nofile,
+		Soft: nofile,
+	}}
+
 	container, err = cdClient.NewContainer(
 		ctx,
 		containerID,
@@ -165,6 +176,7 @@ func NewRunner(ctx context.Context, cdClient *containerd.Client, token oauth2.To
 			oci.WithHostResolvconf,
 			oci.WithHostNamespace(specs.NetworkNamespace),
 			oci.WithEnv([]string{fmt.Sprintf("HOSTNAME=%s", hostname)}),
+			withRlimits(rlimits),
 		),
 	)
 	if err != nil {
@@ -605,3 +617,11 @@ func (r *ContainerRunner) Close(ctx context.Context) {
 	// Delete container and close connection to attestation service.
 	r.container.Delete(ctx, containerd.WithSnapshotCleanup)
 }
+
+// withRlimits sets the rlimit (like the max file descriptor) for the container process
+func withRlimits(rlimits []specs.POSIXRlimit) oci.SpecOpts {
+	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
+		s.Process.Rlimits = rlimits
+		return nil
+	}
+}