specgen: fix order for setting rlimits

Also make sure that the limits we set for rootless are not higher than what we'd set for root containers. Rootless containers failed to start when the calling user already had ulimit (e.g. on NOFILE) set. This is basically a cherry-pick of 76f8efc0d0 into specgen Signed-off-by: Ralf Haferkamp <rhafer@suse.com>
2020-06-26 11:14:35 +02:00 · 2020-06-26 11:14:35 +02:00 · 43c19966f6
parent bb11b42879
commit 43c19966f6
1 changed files with 14 additions and 6 deletions
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@ -52,10 +52,14 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
 			if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &rlimit); err != nil {
 				logrus.Warnf("failed to return RLIMIT_NOFILE ulimit %q", err)
 			}
+			if rlimit.Cur < current {
 				current = rlimit.Cur
+			}
+			if rlimit.Max < max {
 				max = rlimit.Max
 			}
-		g.AddProcessRlimits("RLIMIT_NOFILE", current, max)
+		}
+		g.AddProcessRlimits("RLIMIT_NOFILE", max, current)
 	}
 	if !nprocSet {
 		max := kernelMax
@ -65,10 +69,14 @@ func addRlimits(s *specgen.SpecGenerator, g *generate.Generator) error {
 			if err := unix.Getrlimit(unix.RLIMIT_NPROC, &rlimit); err != nil {
 				logrus.Warnf("failed to return RLIMIT_NPROC ulimit %q", err)
 			}
+			if rlimit.Cur < current {
 				current = rlimit.Cur
+			}
+			if rlimit.Max < max {
 				max = rlimit.Max
 			}
-		g.AddProcessRlimits("RLIMIT_NPROC", current, max)
+		}
+		g.AddProcessRlimits("RLIMIT_NPROC", max, current)
 	}

 	return nil