diff options
| author | Lennart Poettering <lennart@poettering.net> | 2022-03-10 13:22:57 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2022-03-10 18:30:24 +0100 |
| commit | 852b62507b22c0a986032a2c9fa9cc464a5b7bd2 (patch) | |
| tree | 9c19e343895c408f0c377acfc73fd3c617459f1a /src/nspawn/nspawn.c | |
| parent | main: add 'const' on two function arguments (diff) | |
| download | systemd-852b62507b22c0a986032a2c9fa9cc464a5b7bd2.tar.xz systemd-852b62507b22c0a986032a2c9fa9cc464a5b7bd2.zip | |
pid1,nspawn: raise default RLIMIT_MEMLOCK to 8M
This mirrors a similar check in Linux kernel 5.16
(9dcc38e2813e0cd3b195940c98b181ce6ede8f20) that raised the
RLIMIT_MEMLOCK to 8M.
This change does two things: raise the default limit for nspawn
containers (where we try to mimic closely what the kernel does), and
bump it when running on old kernels which still have the lower setting.
Fixes: #16300
See: https://lwn.net/Articles/876288/
Diffstat (limited to '')
| -rw-r--r-- | src/nspawn/nspawn.c | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 144e58ae89..5102c16438 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -5294,25 +5294,25 @@ static int run_container( } static int initialize_rlimits(void) { - /* The default resource limits the kernel passes to PID 1, as per kernel 4.16. Let's pass our container payload + /* The default resource limits the kernel passes to PID 1, as per kernel 5.16. Let's pass our container payload * the same values as the kernel originally passed to PID 1, in order to minimize differences between host and * container execution environments. */ static const struct rlimit kernel_defaults[_RLIMIT_MAX] = { - [RLIMIT_AS] = { RLIM_INFINITY, RLIM_INFINITY }, - [RLIMIT_CORE] = { 0, RLIM_INFINITY }, - [RLIMIT_CPU] = { RLIM_INFINITY, RLIM_INFINITY }, - [RLIMIT_DATA] = { RLIM_INFINITY, RLIM_INFINITY }, - [RLIMIT_FSIZE] = { RLIM_INFINITY, RLIM_INFINITY }, - [RLIMIT_LOCKS] = { RLIM_INFINITY, RLIM_INFINITY }, - [RLIMIT_MEMLOCK] = { 65536, 65536 }, - [RLIMIT_MSGQUEUE] = { 819200, 819200 }, - [RLIMIT_NICE] = { 0, 0 }, - [RLIMIT_NOFILE] = { 1024, 4096 }, - [RLIMIT_RSS] = { RLIM_INFINITY, RLIM_INFINITY }, - [RLIMIT_RTPRIO] = { 0, 0 }, - [RLIMIT_RTTIME] = { RLIM_INFINITY, RLIM_INFINITY }, - [RLIMIT_STACK] = { 8388608, RLIM_INFINITY }, + [RLIMIT_AS] = { RLIM_INFINITY, RLIM_INFINITY }, + [RLIMIT_CORE] = { 0, RLIM_INFINITY }, + [RLIMIT_CPU] = { RLIM_INFINITY, RLIM_INFINITY }, + [RLIMIT_DATA] = { RLIM_INFINITY, RLIM_INFINITY }, + [RLIMIT_FSIZE] = { RLIM_INFINITY, RLIM_INFINITY }, + [RLIMIT_LOCKS] = { RLIM_INFINITY, RLIM_INFINITY }, + [RLIMIT_MEMLOCK] = { DEFAULT_RLIMIT_MEMLOCK, DEFAULT_RLIMIT_MEMLOCK }, + [RLIMIT_MSGQUEUE] = { 819200, 819200 }, + [RLIMIT_NICE] = { 0, 0 }, + [RLIMIT_NOFILE] = { 1024, 4096 }, + [RLIMIT_RSS] = { RLIM_INFINITY, RLIM_INFINITY }, + [RLIMIT_RTPRIO] = { 0, 0 }, + [RLIMIT_RTTIME] = { RLIM_INFINITY, RLIM_INFINITY }, + [RLIMIT_STACK] = { 8388608, RLIM_INFINITY }, /* The kernel scales the default for RLIMIT_NPROC and RLIMIT_SIGPENDING based on the system's amount of * RAM. To provide best compatibility we'll read these limits off PID 1 instead of hardcoding them |