From 096e6f88f0f00e2dfec2adee6e651dd23b48b836 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Thu, 23 May 2024 16:29:58 -0700 Subject: [PATCH] [1.1] libct/system: ClearRlimitNofileCache for go 1.23 Go 1.23 tightens access to internal symbols, and even puts runc into "hall of shame" for using an internal symbol (recently added by commit da68c8e3). So, while not impossible, it becomes harder to access those internal symbols, and it is a bad idea in general. Since Go 1.23 includes https://go.dev/cl/588076, we can clean the internal rlimit cache by setting the RLIMIT_NOFILE for ourselves, essentially disabling the rlimit cache. Once Go 1.22 is no longer supported, we will remove the go:linkname hack. (cherry picked from commit 584afc675650e87ecc443896f56aed27a0064dc0) Signed-off-by: Kir Kolyshkin --- libcontainer/init_linux.go | 17 +++++++++-------- libcontainer/system/rlimit_linux.go | 15 +++++++++++++++ .../{rlimit_go119.go => rlimit_linux_go122.go} | 12 +++++++----- libcontainer/system/rlimit_stub.go | 5 +++-- 4 files changed, 34 insertions(+), 15 deletions(-) create mode 100644 libcontainer/system/rlimit_linux.go rename libcontainer/system/{rlimit_go119.go => rlimit_linux_go122.go} (70%) diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go index 58c742ac3e4..c849ec6b797 100644 --- a/libcontainer/init_linux.go +++ b/libcontainer/init_linux.go @@ -10,6 +10,7 @@ import ( "os" "path/filepath" "strings" + "syscall" "unsafe" "github.com/containerd/console" @@ -87,9 +88,7 @@ func newContainerInit(t initType, pipe *os.File, consoleSocket *os.File, fifoFd, // Clean the RLIMIT_NOFILE cache in go runtime. // Issue: https://github.com/opencontainers/runc/issues/4195 - if containsRlimit(config.Rlimits, unix.RLIMIT_NOFILE) { - system.ClearRlimitNofileCache() - } + maybeClearRlimitNofileCache(config.Rlimits) switch t { case initSetns: @@ -268,7 +267,6 @@ func setupConsole(socket *os.File, config *initConfig, mount bool) error { Height: config.ConsoleHeight, Width: config.ConsoleWidth, }) - if err != nil { return err } @@ -525,13 +523,16 @@ func setupRoute(config *configs.Config) error { return nil } -func containsRlimit(limits []configs.Rlimit, resource int) bool { +func maybeClearRlimitNofileCache(limits []configs.Rlimit) { for _, rlimit := range limits { - if rlimit.Type == resource { - return true + if rlimit.Type == syscall.RLIMIT_NOFILE { + system.ClearRlimitNofileCache(&syscall.Rlimit{ + Cur: rlimit.Soft, + Max: rlimit.Hard, + }) + return } } - return false } func setupRlimits(limits []configs.Rlimit, pid int) error { diff --git a/libcontainer/system/rlimit_linux.go b/libcontainer/system/rlimit_linux.go new file mode 100644 index 00000000000..4595fa82aa1 --- /dev/null +++ b/libcontainer/system/rlimit_linux.go @@ -0,0 +1,15 @@ +//go:build go1.23 + +package system + +import ( + "syscall" +) + +// ClearRlimitNofileCache clears go runtime's nofile rlimit cache. The argument +// is process RLIMIT_NOFILE values. Relies on go.dev/cl/588076. +func ClearRlimitNofileCache(lim *syscall.Rlimit) { + // Ignore the return values since we only need to clean the cache, + // the limit is going to be set via unix.Prlimit elsewhere. + _ = syscall.Setrlimit(syscall.RLIMIT_NOFILE, lim) +} diff --git a/libcontainer/system/rlimit_go119.go b/libcontainer/system/rlimit_linux_go122.go similarity index 70% rename from libcontainer/system/rlimit_go119.go rename to libcontainer/system/rlimit_linux_go122.go index a68c8ca6038..674e44bd8f7 100644 --- a/libcontainer/system/rlimit_go119.go +++ b/libcontainer/system/rlimit_linux_go122.go @@ -1,19 +1,21 @@ -//go:build go1.19 +//go:build go1.19 && !go1.23 + +// TODO: remove this file once go 1.22 is no longer supported. package system import ( "sync/atomic" "syscall" - - _ "unsafe" // for go:linkname + _ "unsafe" // Needed for go:linkname to work. ) //go:linkname syscallOrigRlimitNofile syscall.origRlimitNofile var syscallOrigRlimitNofile atomic.Pointer[syscall.Rlimit] -// ClearRlimitNofileCache is to clear go runtime's nofile rlimit cache. -func ClearRlimitNofileCache() { +// ClearRlimitNofileCache clears go runtime's nofile rlimit cache. +// The argument is process RLIMIT_NOFILE values. +func ClearRlimitNofileCache(_ *syscall.Rlimit) { // As reported in issue #4195, the new version of go runtime(since 1.19) // will cache rlimit-nofile. Before executing execve, the rlimit-nofile // of the process will be restored with the cache. In runc, this will diff --git a/libcontainer/system/rlimit_stub.go b/libcontainer/system/rlimit_stub.go index 1b37dc5720c..96200df596c 100644 --- a/libcontainer/system/rlimit_stub.go +++ b/libcontainer/system/rlimit_stub.go @@ -2,5 +2,6 @@ package system -func ClearRlimitNofileCache() { -} +import "syscall" + +func ClearRlimitNofileCache(_ *syscall.Rlimit) {}