Skip to content

Commit

Permalink
fix: set rlimit explicitly in wrapperd
Browse files Browse the repository at this point in the history
Now Go only sets the rlimit for the parent and any fork/exec'ed process
gets the rlimit that was the default before fork/exec. Ref: golang/go#46279

This fix got backported to [Go 1.20.4](golang/go@ecf7e00) breaking Talos.
Talos used to set rlimit in the [`SetRLimit`](https://github.com/siderolabs/talos/blob/v1.4.2/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go#L302) sequencer task.
This means any process started by `wrapperd` gets the default Rlimit
(1024). Fix this by explicitly setting `rlimit` in `wrapperd` before we
drop any capabilities.

Fixes: #7198

Signed-off-by: Noel Georgi <git@frezbo.dev>
  • Loading branch information
frezbo committed May 9, 2023
1 parent cdfc242 commit a2565f6
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions internal/app/wrapperd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,13 @@ func Main() {
}
}

// set the rlimit for the process before we drop privileges
// TODO: frezbo: see if we need to drop Rlimit from the boot sequence, the only downside maybe that some very early process might
// not have the higher rlimit set, but it seems we always use the wrapper to start processes.
if err := unix.Setrlimit(unix.RLIMIT_NOFILE, &unix.Rlimit{Max: 1048576, Cur: 1048576}); err != nil {
log.Fatalf("failed to set rlimit: %v", err)
}

// load the cgroup and put the process into the cgroup
if cgroupPath != "" {
if cgroups.Mode() == cgroups.Unified {
Expand Down

0 comments on commit a2565f6

Please sign in to comment.