Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make buildah's handling of ulimits match podman #5590

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Make buildah's handling of ulimits match podman #5590

wants to merge 4 commits into from

Conversation

chris-reeves
Copy link

@chris-reeves chris-reeves commented Jun 14, 2024
edited
Loading

There was a bug in #5275 which assumed that non-rootless environments always had the ability to increase limits past the hard limit. This is not always the case. This was resolved by more accurately reflecting podman's handling of ulimits. The initial fix for this didn't account for the fact that privileged users can (usually) increase limits past the hard limit. This wasn't picked up when the tests were run locally, so they have been modified to ensure that this particular failure mode would be identified in future.

What type of PR is this?

/kind bug

What this PR does / why we need it:

There was a bug in #5275 which assumed that non-rootless environments always had the ability to increase limits past the hard limit. This is not always the case. For example:

[2/2] STEP 8/13: RUN addgroup -g 1000 -S app && adduser -u 1000 -h /app -S -G app app
Error: building at STEP "RUN addgroup -g 1000 -S app && adduser -u 1000 -h /app -S -G app app": setting "RLIMIT_NPROC" limit to soft=104857600,hard=104857600 (was soft=31723,hard=31723): operation not permitted

This was resolved by more accurately reflecting podman's handling of ulimits.

How to verify it

The original bug can be replicated by running the test suite (specifically bats tests/run.bats -f limit) in a non-rootless mode where nproc limits are less than RLimitDefaultValue (1048576). For me the easiest way to do this was to run the test as root with RLimitDefaultValue increased to 10485760.

Which issue(s) this PR fixes:

None - no issue has been opened for this bug.

Special notes for your reviewer:

No tests have been added for the scenario that was originally encountered (non-rootless environment where the user doesn't have privileges to increase limits past the hard limit) due to the difficulty in manipulating limits and recreating this scenario in a test environment, however the tests which fail when RLimitDefaultValue is increased to 10485760 now pass with this fix in place.

The initial fix for this didn't account for the fact that privileged users can (usually) increase limits past the hard limit. This wasn't picked up when the tests were run locally, so they have been modified to ensure that this particular failure mode would be identified in future.

The PR does make a call to Setrlimit() without checking the returned error value. This is intentional as the way podman handles the failure of this call is to try again with the current hard limit, but we effectively do this a little later with the call to AddProcessRlimits() making another get/set round trip redundant.

Does this PR introduce a user-facing change?

None

@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Jun 14, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jun 14, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: chris-reeves
Once this PR has been reviewed and has the lgtm label, please assign giuseppe for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@packit-as-a-service Packit-as-a-Service
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

@chris-reeves chris-reeves changed the title Make buildah handling of ulimits match podman Make buildah's handling of ulimits match podman Jun 14, 2024
flouthoc
flouthoc reviewed Jun 16, 2024
View reviewed changes
Copy link
Collaborator

@flouthoc flouthoc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Integration tests are failing for multiple envs.

@chris-reeves
Copy link
Author

The initial fix for this didn't account for the fact that privileged users can (usually) increase limits past the hard limit. This wasn't picked up when the tests were run locally, so they have been modified to ensure that this particular failure mode would be identified in future.

@TomSweeneyRedHat
Copy link
Member

@chris-reeves thanks for the PR! The tests are all very unhappy and it looks like you need to update your branch.

@chris-reeves
Copy link
Author

@chris-reeves thanks for the PR! The tests are all very unhappy and it looks like you need to update your branch.

@TomSweeneyRedHat It looks like this was just the linter complaining. I did wonder whether not checking Setrlimit()'s return value would annoy the linter so I ran make lint locally before committing and it didn't complain. I've tried again and can't replicate the lint output that Cirrus is returning, so rather than trying to set lint ignores blindly or seeing if I can get away with assigning to _, I've taken a fairly blunt approach and simply write a debug-level log message if this fails.

Also rebased and signed the commit that I missed.

@TomSweeneyRedHat
Copy link
Member

@chris-reeves I kicked off the test again, a quick look seemed to show network hiccups. The branch looks like it needs a rebase too.

@chris-reeves
Copy link
Author

@chris-reeves I kicked off the test again, a quick look seemed to show network hiccups. The branch looks like it needs a rebase too.

Could you point me towards these network hiccups? The only two failing builds are the same two that appear to fail for most PRs (and this appears to be an issue with missing build tools on those platforms).

I can rebase again if you like, but it looks like you're taking a branch/merge approach so I'm not sure what it gives us (other than another build to wait on!).

@chris-reeves
Make buildah handling of ulimits match podman
a5a2655 
There was a bug in containers#5275 which meant that in some cases (not rootless,
with low limits) buildah tried to set limits to more than the hard
limit. Fixing that issue made some of the tests fail as they only passed
due to this bug. This was resolved by more accurately reflecting
podman's handling of ulmits.

Signed-off-by: Chris Reeves <chris.reeves@iname.com>
@chris-reeves
Make limits tests have consistent wording
1036cfd 
This is really a no-op to keep the validate_test check happy...

Signed-off-by: Chris Reeves <chris.reeves@iname.com>
@chris-reeves
Always try to set nofile limit
5241c92 
Try to set nofile limit to RLimitDefaultValue - this could potentially
increase the limit past the current hard limit in non-rootless
environments. This makes buildah behaviour match podman when a
non-rootless environment has lower limits set.

Signed-off-by: Chris Reeves <chris.reeves@iname.com>
@chris-reeves
Check return value of Setrlimit() to keep linter happy
6646b57 
Signed-off-by: Chris Reeves <chris.reeves@iname.com>
@rhatdan
Copy link
Member

rhatdan commented Jun 21, 2024

LGTM

@rhatdan
Copy link
Member

rhatdan commented Jun 21, 2024

Thanks @chris-reeves

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flouthoc flouthoc Awaiting requested review from flouthoc

Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@chris-reeves @TomSweeneyRedHat @rhatdan @flouthoc