Skip to content

Commit

Permalink
[1.1] libct/system: ClearRlimitNofileCache for go 1.23
Browse files Browse the repository at this point in the history
Go 1.23 tightens access to internal symbols, and even puts runc into
"hall of shame" for using an internal symbol (recently added by commit
da68c8e). So, while not impossible, it becomes harder to access those
internal symbols, and it is a bad idea in general.

Since Go 1.23 includes https://go.dev/cl/588076, we can clean the
internal rlimit cache by setting the RLIMIT_NOFILE for ourselves,
essentially disabling the rlimit cache.

Once Go 1.22 is no longer supported, we will remove the go:linkname hack.

(cherry picked from commit 584afc6)
Signed-off-by: Kir Kolyshkin <[email protected]>
  • Loading branch information
kolyshkin committed Jun 1, 2024
1 parent a12f444 commit 9022788
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 15 deletions.
17 changes: 9 additions & 8 deletions libcontainer/init_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"os"
"path/filepath"
"strings"
"syscall"
"unsafe"

"github.com/containerd/console"
Expand Down Expand Up @@ -87,9 +88,7 @@ func newContainerInit(t initType, pipe *os.File, consoleSocket *os.File, fifoFd,

// Clean the RLIMIT_NOFILE cache in go runtime.
// Issue: https://github.com/opencontainers/runc/issues/4195
if containsRlimit(config.Rlimits, unix.RLIMIT_NOFILE) {
system.ClearRlimitNofileCache()
}
maybeClearRlimitNofileCache(config.Rlimits)

switch t {
case initSetns:
Expand Down Expand Up @@ -268,7 +267,6 @@ func setupConsole(socket *os.File, config *initConfig, mount bool) error {
Height: config.ConsoleHeight,
Width: config.ConsoleWidth,
})

if err != nil {
return err
}
Expand Down Expand Up @@ -525,13 +523,16 @@ func setupRoute(config *configs.Config) error {
return nil
}

func containsRlimit(limits []configs.Rlimit, resource int) bool {
func maybeClearRlimitNofileCache(limits []configs.Rlimit) {
for _, rlimit := range limits {
if rlimit.Type == resource {
return true
if rlimit.Type == syscall.RLIMIT_NOFILE {
system.ClearRlimitNofileCache(&syscall.Rlimit{
Cur: rlimit.Soft,
Max: rlimit.Hard,
})
return
}
}
return false
}

func setupRlimits(limits []configs.Rlimit, pid int) error {
Expand Down
15 changes: 15 additions & 0 deletions libcontainer/system/rlimit_linux.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
//go:build go1.23

package system

import (
"syscall"
)

// ClearRlimitNofileCache clears go runtime's nofile rlimit cache. The argument
// is process RLIMIT_NOFILE values. Relies on go.dev/cl/588076.
func ClearRlimitNofileCache(lim *syscall.Rlimit) {
// Ignore the return values since we only need to clean the cache,
// the limit is going to be set via unix.Prlimit elsewhere.
_ = syscall.Setrlimit(syscall.RLIMIT_NOFILE, lim)
}
Original file line number Diff line number Diff line change
@@ -1,19 +1,21 @@
//go:build go1.19
//go:build go1.19 && !go1.23

// TODO: remove this file once go 1.22 is no longer supported.

package system

import (
"sync/atomic"
"syscall"

_ "unsafe" // for go:linkname
_ "unsafe" // Needed for go:linkname to work.
)

//go:linkname syscallOrigRlimitNofile syscall.origRlimitNofile
var syscallOrigRlimitNofile atomic.Pointer[syscall.Rlimit]

// ClearRlimitNofileCache is to clear go runtime's nofile rlimit cache.
func ClearRlimitNofileCache() {
// ClearRlimitNofileCache clears go runtime's nofile rlimit cache.
// The argument is process RLIMIT_NOFILE values.
func ClearRlimitNofileCache(_ *syscall.Rlimit) {
// As reported in issue #4195, the new version of go runtime(since 1.19)
// will cache rlimit-nofile. Before executing execve, the rlimit-nofile
// of the process will be restored with the cache. In runc, this will
Expand Down
5 changes: 3 additions & 2 deletions libcontainer/system/rlimit_stub.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,6 @@

package system

func ClearRlimitNofileCache() {
}
import syscall

Check failure on line 5 in libcontainer/system/rlimit_stub.go

View workflow job for this annotation

GitHub Actions / test (1.17.x, rootless, -race)

expected 'STRING', found newline

Check failure on line 5 in libcontainer/system/rlimit_stub.go

View workflow job for this annotation

GitHub Actions / test (1.17.x, rootless)

expected 'STRING', found newline

Check failure on line 5 in libcontainer/system/rlimit_stub.go

View workflow job for this annotation

GitHub Actions / test (1.17.x, -race)

expected 'STRING', found newline

Check failure on line 5 in libcontainer/system/rlimit_stub.go

View workflow job for this annotation

GitHub Actions / test (1.17.x)

expected 'STRING', found newline

func ClearRlimitNofileCache(_ *syscall.Rlimit) {}

0 comments on commit 9022788

Please sign in to comment.