From dbf1aca619af7bb7e15f0961e281e77c4cecd555 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 22 Oct 2021 17:34:46 +0200 Subject: [PATCH] nspawn: bump RLIMIT_NOFILE for nspawn payload similar to how host PID 1 does it for its payload We try to pass containers roughly the same rlimits as the host gets from the kernel. However, this means we'd set the RLIMIT_NOFILE to 4K. Which is quite limiting though, and is something we actually departed from in PID1: since 52d620757817bc0fa7de3ddbe43024544ced7ea0 we raise the limit substantially for all userspace. Given that nspawn is quite often invoked without proper PID1, let's raise the limits for container payloads the same way as we do from the real PID1 to its service payloads. --- src/nspawn/nspawn.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 7dbc84369b..d133ca7be3 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -5330,6 +5330,15 @@ static int initialize_rlimits(void) { if (prlimit(1, rl, NULL, &buffer) < 0) return log_error_errno(errno, "Failed to read resource limit RLIMIT_%s of PID 1: %m", rlimit_to_string(rl)); + v = &buffer; + } else if (rl == RLIMIT_NOFILE) { + /* We nowadays bump RLIMIT_NOFILE's hard limit early in PID 1 for all + * userspace. Given that nspawn containers are often run without our PID 1, + * let's grant the containers a raised RLIMIT_NOFILE hard limit by default, + * so that container userspace gets similar resources as host userspace + * gets. */ + buffer = kernel_defaults[rl]; + buffer.rlim_max = MIN((rlim_t) read_nr_open(), (rlim_t) HIGH_RLIMIT_NOFILE); v = &buffer; } else v = kernel_defaults + rl;