Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There is no option to set ulimit while using podman kube play #16404

Closed
paul-grozav opened this issue Nov 4, 2022 · 19 comments · Fixed by #17379
Closed

There is no option to set ulimit while using podman kube play #16404

paul-grozav opened this issue Nov 4, 2022 · 19 comments · Fixed by #17379
Assignees
@umohnani8
Labels
kind/feature Categorizes issue or PR as related to a new feature. kube locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@paul-grozav
Copy link

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

I would like to revive this issue from the redhat bugzilla tracker: https://bugzilla.redhat.com/show_bug.cgi?id=1950183 . I'm facing a similar issue.

This is my context (machine setup) - And to be honest, it'll be hard to upgrade the entire OS just for a patch on podman(but that's another story) - I hope that at least this will be fixed in a latest version for newer environments:

$ cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

$ cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core) 

$ uname -a
Linux my-server 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 16:21:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

$ id # I'm running in rootless mode for security reasons
uid=2115(dbadmin) gid=588(dba) groups=588(dba)

This is my problem. The ulimits are not exported - I understand that podman doesn't want to introduce support for anything that is not in the k8s standard specs. But there is also no other way to apply ulimits to containers created through kube play. A command line parameter would be nice, or any option, really.

$ podman run -d --name=ulimit_test --ulimit nofile=1231:3123 alpine:3.16.2 sleep infinity
30951028ad3fd487831e0ee23231b362b31e3c09e8293e03d91d6a9fda7c6d33

$ podman exec -it ulimit_test /bin/sh -c "ulimit -Sn ; ulimit -Hn"
1231
3123

$ podman inspect ulimit_test
[
    {
        "Id": "30951028ad3fd487831e0ee23231b362b31e3c09e8293e03d91d6a9fda7c6d33",
        "Created": "2022-11-04T02:20:06.488409531-05:00",
        "Path": "sleep",
        "Args": [
            "infinity"
        ],
        "State": {
            "OciVersion": "1.0.1-dev",
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 9025,
            "ConmonPid": 9009,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2022-11-04T02:20:06.718683968-05:00",
            "FinishedAt": "0001-01-01T00:00:00Z",
            "Healthcheck": {
                "Status": "",
                "FailingStreak": 0,
                "Log": null
            }
        },
        "Image": "9c6f0724472873bb50a2ae67a9e7adcb57673a183cea8b06eb778dca859181b5",
        "ImageName": "docker.io/library/alpine:3.16.2",
        "Rootfs": "",
        "Pod": "",
        "ResolvConfPath": "/run/user/2115/containers/overlay-containers/30951028ad3fd487831e0ee23231b362b31e3c09e8293e03d91d6a9fda7c6d33/userdata/resolv.conf",
        "HostnamePath": "/run/user/2115/containers/overlay-containers/30951028ad3fd487831e0ee23231b362b31e3c09e8293e03d91d6a9fda7c6d33/userdata/hostname",
        "HostsPath": "/run/user/2115/containers/overlay-containers/30951028ad3fd487831e0ee23231b362b31e3c09e8293e03d91d6a9fda7c6d33/userdata/hosts",
        "StaticDir": "/home/dbadmin/.local/share/containers/storage/overlay-containers/30951028ad3fd487831e0ee23231b362b31e3c09e8293e03d91d6a9fda7c6d33/userdata",
        "OCIConfigPath": "/home/dbadmin/.local/share/containers/storage/overlay-containers/30951028ad3fd487831e0ee23231b362b31e3c09e8293e03d91d6a9fda7c6d33/userdata/config.json",
        "OCIRuntime": "runc",
        "LogPath": "/home/dbadmin/.local/share/containers/storage/overlay-containers/30951028ad3fd487831e0ee23231b362b31e3c09e8293e03d91d6a9fda7c6d33/userdata/ctr.log",
        "ConmonPidFile": "/run/user/2115/containers/overlay-containers/30951028ad3fd487831e0ee23231b362b31e3c09e8293e03d91d6a9fda7c6d33/userdata/conmon.pid",
        "Name": "ulimit_test",
        "RestartCount": 0,
        "Driver": "overlay",
        "MountLabel": "",
        "ProcessLabel": "",
        "AppArmorProfile": "",
        "EffectiveCaps": [
            "CAP_CHOWN",
            "CAP_DAC_OVERRIDE",
            "CAP_FSETID",
            "CAP_FOWNER",
            "CAP_MKNOD",
            "CAP_NET_RAW",
            "CAP_SETGID",
            "CAP_SETUID",
            "CAP_SETFCAP",
            "CAP_SETPCAP",
            "CAP_NET_BIND_SERVICE",
            "CAP_SYS_CHROOT",
            "CAP_KILL",
            "CAP_AUDIT_WRITE"
        ],
        "BoundingCaps": [
            "CAP_CHOWN",
            "CAP_DAC_OVERRIDE",
            "CAP_FSETID",
            "CAP_FOWNER",
            "CAP_MKNOD",
            "CAP_NET_RAW",
            "CAP_SETGID",
            "CAP_SETUID",
            "CAP_SETFCAP",
            "CAP_SETPCAP",
            "CAP_NET_BIND_SERVICE",
            "CAP_SYS_CHROOT",
            "CAP_KILL",
            "CAP_AUDIT_WRITE"
        ],
        "ExecIDs": [],
        "GraphDriver": {
            "Name": "overlay",
            "Data": {
                "LowerDir": "/home/dbadmin/.local/share/containers/storage/overlay/994393dc58e7931862558d06e46aa2bb17487044f670f310dffe1d24e4d1eec7/diff",
                "MergedDir": "/home/dbadmin/.local/share/containers/storage/overlay/11ca8c39f53a25a9dfa69cbd0a5921e640bba2f70aa3d7460ce926b972568403/merged",
                "UpperDir": "/home/dbadmin/.local/share/containers/storage/overlay/11ca8c39f53a25a9dfa69cbd0a5921e640bba2f70aa3d7460ce926b972568403/diff",
                "WorkDir": "/home/dbadmin/.local/share/containers/storage/overlay/11ca8c39f53a25a9dfa69cbd0a5921e640bba2f70aa3d7460ce926b972568403/work"
            }
        },
        "Mounts": [],
        "Dependencies": [],
        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": [],
            "SandboxKey": "",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "",
            "Gateway": "",        
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,           
            "IPAddress": "",                     
            "IPPrefixLen": 0,                                      
            "IPv6Gateway": "",                              
            "MacAddress": ""                               
        },                                                  
        "ExitCommand": [                              
            "/usr/bin/podman",                       
            "--root",                                 
            "/home/dbadmin/.local/share/containers/storage",     
            "--runroot",                             
            "/run/user/2115/containers",               
            "--log-level",                           
            "error",                               
            "--cgroup-manager",                   
            "cgroupfs",                               
            "--tmpdir",                             
            "/run/user/2115/libpod/tmp",
            "--runtime",
            "runc",                             
            "--storage-driver",                  
            "overlay",                                      
            "--storage-opt",                               
            "overlay.mount_program=/usr/bin/fuse-overlayfs",
            "--events-backend",                       
            "file",                                  
            "container",                              
            "cleanup",                               
            "30951028ad3fd487831e0ee23231b362b31e3c09e8293e03d91d6a9fda7c6d33"
        ],                                           
        "Namespace": "",                           
        "IsInfra": false,                                                                                           
        "Config": {                                        
            "Hostname": "30951028ad3f",
            "Domainname": "",                      
            "User": "",
            "AttachStdin": false,                                                                                    
            "AttachStdout": false,                        
            "AttachStderr": false,
            "Tty": false,                         
            "OpenStdin": false,                                                                                                                                                                                                                
            "StdinOnce": false,                  
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",                                 
                "TERM=xterm",                                   
                "HOSTNAME=30951028ad3f",
                "container=podman",
                "HOME=/root"              
            ],                                                                                                             
            "Cmd": [                                                                                                             
                "sleep",                                                                                                          
                "infinity"                        
            ],                                                  
            "Image": "docker.io/library/alpine:3.16.2",
            "Volumes": null,
            "WorkingDir": "/",
            "Entrypoint": "",                                                    
            "OnBuild": null,                             
            "Labels": null,
            "Annotations": {
                "io.container.manager": "libpod",
                "io.kubernetes.cri-o.ContainerType": "sandbox",
                "io.kubernetes.cri-o.Created": "2022-11-04T02:20:06.488409531-05:00",
                "io.kubernetes.cri-o.TTY": "false",
                "io.podman.annotations.autoremove": "FALSE",
                "io.podman.annotations.init": "FALSE",
                "io.podman.annotations.privileged": "FALSE",
                "io.podman.annotations.publish-all": "FALSE",
                "org.opencontainers.image.stopSignal": "15"
            },            
            "StopSignal": 15
        },                    
        "HostConfig": {   
            "Binds": [],
            "ContainerIDFile": "",                             
            "LogConfig": {                       
                "Type": "k8s-file",
                "Config": null
            },                     
            "NetworkMode": "default",
            "PortBindings": {},
            "RestartPolicy": {
                "Name": "",                                                         
                "MaximumRetryCount": 0                 
            },       
            "AutoRemove": false,
            "VolumeDriver": "",                                                                                                                                
            "VolumesFrom": null,                                                                                                                          
            "CapAdd": [],                                                                                                                           
            "CapDrop": [],                                                                                                                                        
            "Dns": [],                                                                                                                                                            
            "DnsOptions": [],
            "DnsSearch": [],                                                                                                                                            
            "ExtraHosts": [],                                                                                                                                
            "GroupAdd": [],   
            "IpcMode": "",
            "Cgroup": "",   
            "Cgroups": "default",
            "Links": null, 
            "OomScoreAdj": 0, 
            "PidMode": "",
            "Privileged": false,
            "PublishAllPorts": false,
            "ReadonlyRootfs": false,
            "SecurityOpt": [],
            "Tmpfs": {},
            "UTSMode": "",
            "UsernsMode": "",
            "ShmSize": 65536000,
            "Runtime": "oci",
            "ConsoleSize": [
                0,                 
                0            
            ],         
            "Isolation": "", 
            "CpuShares": 0,
            "Memory": 0, 
            "NanoCpus": 0,
            "CgroupParent": "",
            "BlkioWeight": 0,
            "BlkioWeightDevice": null,
            "BlkioDeviceReadBps": null,
            "BlkioDeviceWriteBps": null,
            "BlkioDeviceReadIOps": null,
            "BlkioDeviceWriteIOps": null,
            "CpuPeriod": 0,
            "CpuQuota": 0,
            "CpuRealtimePeriod": 0,
            "CpuRealtimeRuntime": 0,
            "CpusetCpus": "",
            "CpusetMems": "",
            "Devices": [],
            "DiskQuota": 0,
            "KernelMemory": 0,
            "MemoryReservation": 0,
            "MemorySwap": 0,
            "MemorySwappiness": 0,                                                                                                                        
            "OomKillDisable": false,                                                                                                                         
            "PidsLimit": 0,                                                                                                                               
            "Ulimits": [                                                                                                                                
                {
                    "Name": "RLIMIT_NOFILE",
                    "Soft": 1231,
                    "Hard": 3123
                }           
            ],           
            "CpuCount": 0,  
            "CpuPercent": 0,     
            "IOMaximumIOps": 0,        
            "IOMaximumBandwidth": 0     
        }               
    }                        
]                                        

$ podman generate kube -s ulimit_test -f ulimit_test.yml
$ cat ulimit_test.yml 
# Generation of Kubernetes YAML is still under development!
#
# Save the output of this file and use kubectl create -f to import
# it into Kubernetes.
#
# Created with podman-1.6.4
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: "2022-11-04T07:25:29Z"
  labels:
    app: ulimittest
  name: ulimittest
spec:
  containers:
  - command:
    - sleep
    - infinity
    env:
    - name: PATH
      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    - name: TERM
      value: xterm
    - name: HOSTNAME
    - name: container
      value: podman
    image: docker.io/library/alpine:3.16.2
    name: ulimittest
    resources: {}
    securityContext:
      allowPrivilegeEscalation: true
      capabilities: {}
      privileged: false
      readOnlyRootFilesystem: false
    workingDir: /
status: {}
---
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: "2022-11-04T07:25:29Z"
  labels:
    app: ulimittest
  name: ulimittest
spec:
  selector:
    app: ulimittest
  type: NodePort
status:
  loadBalancer: {}

$ podman stop -t0 ulimit_test
30951028ad3fd487831e0ee23231b362b31e3c09e8293e03d91d6a9fda7c6d33

$ podman rm ulimit_test
30951028ad3fd487831e0ee23231b362b31e3c09e8293e03d91d6a9fda7c6d33

$ podman play kube ulimit_test.yml 
a container exists with the same name (ulimittest) as the pod in your YAML file; changing pod name to ulimittest_pod
Pod:
52348a2fe515f336943c9b3c2adbc7847c657a859b5dfedd21fbf2a2195cdaa5
Container:
15089f7a4707d33b357b30319a1f22ec0a1f5545278b694b216198742fbeccb3

$ podman ps -a
CONTAINER ID  IMAGE                            COMMAND         CREATED         STATUS                       PORTS  NAMES
15089f7a4707  docker.io/library/alpine:3.16.2  sleep infinity  19 seconds ago  Up 19 seconds ago                   ulimittest
b1026979e90f  k8s.gcr.io/pause:3.1                             19 seconds ago  Up 19 seconds ago                   52348a2fe515-infra

$ podman exec -it ulimittest /bin/sh -c "ulimit -Sn ; ulimit -Hn"
1024
1024

$ podman inspect ulimittest
[
    {
        "Id": "15089f7a4707d33b357b30319a1f22ec0a1f5545278b694b216198742fbeccb3",
        "Created": "2022-11-04T02:27:02.895147872-05:00",
        "Path": "sleep",
        "Args": [
            "infinity"
        ],
        "State": {
            "OciVersion": "1.0.1-dev",
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 13400,
            "ConmonPid": 13388,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2022-11-04T02:27:03.235785686-05:00",
            "FinishedAt": "0001-01-01T00:00:00Z",
            "Healthcheck": {
                "Status": "",
                "FailingStreak": 0,
                "Log": null
            }
        },
        "Image": "9c6f0724472873bb50a2ae67a9e7adcb57673a183cea8b06eb778dca859181b5",
        "ImageName": "docker.io/library/alpine:3.16.2",
        "Rootfs": "",
        "Pod": "52348a2fe515f336943c9b3c2adbc7847c657a859b5dfedd21fbf2a2195cdaa5",
        "ResolvConfPath": "/run/user/2115/containers/overlay-containers/b1026979e90fbe304ff75526b9ecad1a5c8999ad73b43d0cc3422e4a523aa73e/userdata/resolv.conf",
        "HostnamePath": "/run/user/2115/containers/overlay-containers/15089f7a4707d33b357b30319a1f22ec0a1f5545278b694b216198742fbeccb3/userdata/hostname",
        "HostsPath": "/run/user/2115/containers/overlay-containers/b1026979e90fbe304ff75526b9ecad1a5c8999ad73b43d0cc3422e4a523aa73e/userdata/hosts",
        "StaticDir": "/home/dbadmin/.local/share/containers/storage/overlay-containers/15089f7a4707d33b357b30319a1f22ec0a1f5545278b694b216198742fbeccb3/userdata",
        "OCIConfigPath": "/home/dbadmin/.local/share/containers/storage/overlay-containers/15089f7a4707d33b357b30319a1f22ec0a1f5545278b694b216198742fbeccb3/userdata/config.json",
        "OCIRuntime": "runc",
        "LogPath": "/home/dbadmin/.local/share/containers/storage/overlay-containers/15089f7a4707d33b357b30319a1f22ec0a1f5545278b694b216198742fbeccb3/userdata/ctr.log",
        "ConmonPidFile": "/run/user/2115/containers/overlay-containers/15089f7a4707d33b357b30319a1f22ec0a1f5545278b694b216198742fbeccb3/userdata/conmon.pid",
        "Name": "ulimittest",
        "RestartCount": 0,
        "Driver": "overlay",
        "MountLabel": "",
        "ProcessLabel": "",
        "AppArmorProfile": "",
        "EffectiveCaps": [
            "CAP_CHOWN",
            "CAP_DAC_OVERRIDE",
            "CAP_FSETID",
            "CAP_FOWNER",
            "CAP_MKNOD",
            "CAP_NET_RAW",
            "CAP_SETGID",
            "CAP_SETUID",
            "CAP_SETFCAP",
            "CAP_SETPCAP",
            "CAP_NET_BIND_SERVICE",
            "CAP_SYS_CHROOT",
            "CAP_KILL",
            "CAP_AUDIT_WRITE"
        ],
        "BoundingCaps": [
            "CAP_CHOWN",
            "CAP_DAC_OVERRIDE",
            "CAP_FSETID",
            "CAP_FOWNER",
            "CAP_MKNOD",
            "CAP_NET_RAW",
            "CAP_SETGID",
            "CAP_SETUID",
            "CAP_SETFCAP",
            "CAP_SETPCAP",
            "CAP_NET_BIND_SERVICE",
            "CAP_SYS_CHROOT",
            "CAP_KILL",
            "CAP_AUDIT_WRITE"
        ],
        "ExecIDs": [],
        "GraphDriver": {
            "Name": "overlay",
            "Data": {
                "LowerDir": "/home/dbadmin/.local/share/containers/storage/overlay/994393dc58e7931862558d06e46aa2bb17487044f670f310dffe1d24e4d1eec7/diff",
                "MergedDir": "/home/dbadmin/.local/share/containers/storage/overlay/1006e6f0e1941f786a84cd7c2d92a1840e768f2b040a466dceaa02c9df008c1b/merged",
                "UpperDir": "/home/dbadmin/.local/share/containers/storage/overlay/1006e6f0e1941f786a84cd7c2d92a1840e768f2b040a466dceaa02c9df008c1b/diff",
                "WorkDir": "/home/dbadmin/.local/share/containers/storage/overlay/1006e6f0e1941f786a84cd7c2d92a1840e768f2b040a466dceaa02c9df008c1b/work"
            }
        },
        "Mounts": [],
        "Dependencies": [
            "b1026979e90fbe304ff75526b9ecad1a5c8999ad73b43d0cc3422e4a523aa73e"
        ],
        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": [],
            "SandboxKey": "",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "",
            "Gateway": "",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,                                    
            "IPAddress": "",
            "IPPrefixLen": 0,
            "IPv6Gateway": "",
            "MacAddress": ""
        },         
        "ExitCommand": [                  
            "/usr/bin/podman",
            "--root",
            "/home/dbadmin/.local/share/containers/storage",
            "--runroot",            
            "/run/user/2115/containers",
            "--log-level",
            "error",               
            "--cgroup-manager",
            "cgroupfs",
            "--tmpdir",
            "/run/user/2115/libpod/tmp",
            "--runtime",
            "runc",
            "--storage-driver",            
            "overlay",
            "--storage-opt",
            "overlay.mount_program=/usr/bin/fuse-overlayfs",
            "--events-backend",
            "file",
            "container",
            "cleanup",
            "15089f7a4707d33b357b30319a1f22ec0a1f5545278b694b216198742fbeccb3"
        ],        
        "Namespace": "",                               
        "IsInfra": false,                                       
        "Config": {                                          
            "Hostname": "ulimittest_pod",                                                                           
            "Domainname": "",
            "User": "",                                         
            "AttachStdin": false,
            "AttachStdout": false,                              
            "AttachStderr": false,     
            "Tty": false,                
            "OpenStdin": false,          
            "StdinOnce": false,           
            "Env": [                                                                                                    
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",                                         
                "TERM=xterm",                                                                                                        
                "HOSTNAME=ulimittest_pod",                                                                                    
                "container=podman",              
                "HOME=/root"                                    
            ],                                                                             
            "Cmd": [
                "sleep",
                "infinity"                           
            ],
            "Image": "docker.io/library/alpine:3.16.2",
            "Volumes": null,                                                     
            "WorkingDir": "/",                           
            "Entrypoint": "",
            "OnBuild": null,
            "Labels": null,
            "Annotations": {
                "io.container.manager": "libpod",
                "io.kubernetes.cri-o.Created": "2022-11-04T02:27:02.895147872-05:00",
                "io.podman.annotations.autoremove": "FALSE",
                "io.podman.annotations.init": "FALSE",
                "io.podman.annotations.privileged": "FALSE",
                "io.podman.annotations.publish-all": "FALSE",
                "org.opencontainers.image.stopSignal": "15"
            },            
            "StopSignal": 15
        },                     
        "HostConfig": {   
            "Binds": [],
            "ContainerIDFile": "",                             
            "LogConfig": {                       
                "Type": "", 
                "Config": null
            },                     
            "NetworkMode": "container:b1026979e90fbe304ff75526b9ecad1a5c8999ad73b43d0cc3422e4a523aa73e",
            "PortBindings": {},
            "RestartPolicy": {
                "Name": "",                                                         
                "MaximumRetryCount": 0                 
            },       
            "AutoRemove": false,                                                  
            "VolumeDriver": "",                                                                                                                                
            "VolumesFrom": null,                                                                                                                          
            "CapAdd": [],                                                                                                                           
            "CapDrop": [],                                                                                                                                        
            "Dns": [],                                                                                                                                                            
            "DnsOptions": [],
            "DnsSearch": [],                                                                                                                                            
            "ExtraHosts": [],                                                                                                                                
            "GroupAdd": [],  
            "IpcMode": "container:b1026979e90fbe304ff75526b9ecad1a5c8999ad73b43d0cc3422e4a523aa73e",
            "Cgroup": "",   
            "Cgroups": "default",
            "Links": null, 
            "OomScoreAdj": 0, 
            "PidMode": "",
            "Privileged": false,
            "PublishAllPorts": false,
            "ReadonlyRootfs": false,
            "SecurityOpt": [],
            "Tmpfs": {},
            "UTSMode": "container:b1026979e90fbe304ff75526b9ecad1a5c8999ad73b43d0cc3422e4a523aa73e",
            "UsernsMode": "",
            "ShmSize": 0,
            "Runtime": "oci",
            "ConsoleSize": [
                0,                 
                0            
            ],         
            "Isolation": "", 
            "CpuShares": 0,
            "Memory": 0, 
            "NanoCpus": 0,
            "CgroupParent": "/libpod_parent/52348a2fe515f336943c9b3c2adbc7847c657a859b5dfedd21fbf2a2195cdaa5",
            "BlkioWeight": 0,
            "BlkioWeightDevice": null,
            "BlkioDeviceReadBps": null,
            "BlkioDeviceWriteBps": null,
            "BlkioDeviceReadIOps": null,
            "BlkioDeviceWriteIOps": null,
            "CpuPeriod": 0,
            "CpuQuota": 0,
            "CpuRealtimePeriod": 0,
            "CpuRealtimeRuntime": 0,
            "CpusetCpus": "",
            "CpusetMems": "",
            "Devices": [],
            "DiskQuota": 0,
            "KernelMemory": 0,
            "MemoryReservation": 0,
            "MemorySwap": 0,
            "MemorySwappiness": 0,                                                                                                                        
            "OomKillDisable": false,                                                                                                                         
            "PidsLimit": 0,                                                                                                                               
            "Ulimits": [                                                                                                                                
                {
                    "Name": "RLIMIT_NOFILE",
                    "Soft": 1024,
                    "Hard": 1024
                }                                                             
            ],
            "CpuCount": 0,  
            "CpuPercent": 0,
            "IOMaximumIOps": 0,
            "IOMaximumBandwidth": 0
        }                              
    }                                   
]

Steps to reproduce the issue:

  1. podman run -d --name=ulimit_test --ulimit nofile=1231:3123 alpine:3.16.2 sleep infinity

  2. podman exec -it ulimit_test /bin/sh -c "ulimit -Sn ; ulimit -Hn" observe values 1231 and 3123

  3. podman generate kube -s ulimit_test -f ulimit_test.yml

  4. podman stop -t0 ulimit_test && podman rm ulimit_test

  5. podman play kube ulimit_test.yml

  6. podman exec -it ulimittest /bin/sh -c "ulimit -Sn ; ulimit -Hn" observe different values than before

Describe the results you received:
After exporting and re-importing the container, the ulimits are different. 1231:3123 versus 1024:1024

Describe the results you expected:
I was hoping to be able to keep the original ulimits, even though the container definition was exported and re-imported. Or at least have an option that would allow me to set ulimits at play time, appending the --ulimit flag to podman, besides what's in the yml definition file.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:            1.6.4
RemoteAPI Version:  1
Go Version:         go1.12.12
OS/Arch:            linux/amd64

Output of podman info:

host:
  BuildahVersion: 1.11.7
  CgroupVersion: v1
  Conmon:
    package: conmon-2.0.8-1.el7.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.8, commit: f85c8b1ce77b73bcd48b2d802396321217008762'
  Distribution:
    distribution: '"centos"'
    version: "7"
  IDMappings:
    gidmap:
    - container_id: 0
      host_id: 588
      size: 1
    - container_id: 1
      host_id: 231072
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 2115
      size: 1
    - container_id: 1
      host_id: 231072
      size: 65536
  MemFree: 11418755072
  MemTotal: 67333496832
  OCIRuntime:
    name: runc
    package: containerd.io-1.4.3-3.1.el7.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc92
      commit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
      spec: 1.0.2-dev
  SwapFree: 2072748032
  SwapTotal: 2683281408
  arch: amd64
  cpus: 8
  eventlogger: file
  hostname: my-server
  kernel: 3.10.0-1160.76.1.el7.x86_64
  os: linux
  rootless: true
  slirp4netns:
    Executable: /usr/bin/slirp4netns
    Package: slirp4netns-0.4.3-4.el7_8.x86_64
    Version: |-
      slirp4netns version 0.4.3
      commit: 2244b9b6461afeccad1678fac3d6e478c28b4ad6
  uptime: 151h 32m 20.04s (Approximately 6.29 days)
registries:
  blocked: null
  insecure: null
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  ConfigFile: /home/dbadmin/.config/containers/storage.conf
  ContainerStore:
    number: 2
  GraphDriverName: overlay
  GraphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-0.7.2-6.el7_8.x86_64
      Version: |-
        fuse-overlayfs: version 0.7.2
        FUSE library version 3.6.1
        using FUSE kernel interface version 7.29
  GraphRoot: /home/dbadmin/.local/share/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 5
  RunRoot: /run/user/2115/containers
  VolumePath: /home/dbadmin/.local/share/containers/storage/volumes

Package info (e.g. output of rpm -q podman or apt list podman or brew info podman):

podman-1.6.4-36.el7_9.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

No

I've only checked https://docs.podman.io/en/latest/markdown/podman-kube-play.1.html and couldn't see an option/support for ulimits.

Additional environment details (AWS, VirtualBox, physical, etc.):
Physical machine, environment details are above.

Thank you ! You're doing an awesome job !
@openshift-ci openshift-ci bot added the kind/feature Categorizes issue or PR as related to a new feature. label Nov 4, 2022
@vrothberg
Copy link
Member

Thanks for reaching out!

This is working in more recent versions of Podman:

~ $ podman container create --name test --memory 10MB --ulimit "nofile=65535:65535"  alpine
0189f17560ff9271caad8f71d93297b59d1331912c966807d093c25ee61d25d6
~ $ podman generate kube test
# Save the output of this file and use kubectl create -f to import
# it into Kubernetes.
#
# Created with podman-4.3.0-rc1
apiVersion: v1
kind: Pod
metadata:
  annotations:
    io.kubernetes.cri-o.TTY/test: "false"
    io.podman.annotations.autoremove/test: "FALSE"
    io.podman.annotations.init/test: "FALSE"
    io.podman.annotations.privileged/test: "FALSE"
    io.podman.annotations.publish-all/test: "FALSE"
  creationTimestamp: "2022-11-04T08:38:28Z"
  labels:
    app: test-pod
  name: test-pod
spec:
  automountServiceAccountToken: false
  containers:
  - image: docker.io/library/alpine:latest
    name: test
    resources:
      limits:
        memory: 10Mi
    securityContext:
      capabilities:
        drop:
        - CAP_MKNOD
        - CAP_NET_RAW
        - CAP_AUDIT_WRITE

See the memory: 10Mi?

@vrothberg
Copy link
Member

Ah, apologies, the ulimits are not added yet.

@paul-grozav
Copy link
Author

Ah, apologies, the ulimits are not added yet.

Oh, thanks for confirming this, I didn't test with version 4.3.0-rc1

@rhatdan
Copy link
Member

rhatdan commented Nov 4, 2022

Interested in opening a PR?

@rhatdan rhatdan added the kube label Nov 4, 2022
@rhatdan
Copy link
Member

rhatdan commented Nov 4, 2022

Can you specify a ulimit within a kubernetes.yaml file?

@rhatdan
Copy link
Member

rhatdan commented Nov 4, 2022

Perhaps the solution would be for us to add --ulimit to podman kube play command?

@rhatdan
Copy link
Member

rhatdan commented Nov 4, 2022

podman pod create should probably have a ulimit as well.

@rhatdan
Copy link
Member

rhatdan commented Nov 4, 2022

@cdoern PTAL

@paul-grozav
Copy link
Author

@rhatdan

Q1: Interested in opening a PR?
A1: If that was intended for me, I don't have much experience in Go, it might take longer than it would take you - but that doesn't mean I shouldn't try - I'll get back with a pull-request if this is not fixed in the meantime :)

Q2: Can you specify a ulimit within a kubernetes.yaml file?
A2: It seems no, you pointed to this, kubernetes/kubernetes#3595 , and it seems it's still not implemented almost 8 years later.

Q3: Perhaps the solution would be for us to add --ulimit to podman kube play command?
A3: That's what I was thinking too, maybe something like: podman play kube --ulimit pod_name.container_name.ulimit_type=soft_value:hard_value ulimit_test.yml example: podman play kube --ulimit db.maria.nofile=1231:3123 ulimit_test.yml Or maybe that's too obfuscated, what ever you think is best will be better than no option :)

@rhatdan
Copy link
Member

rhatdan commented Nov 7, 2022

@cdoern or @umohnani8 Care to take a stab at Option 3?

@cdoern
Copy link
Collaborator

cdoern commented Nov 7, 2022

Sure @rhatdan I'll try it this week

@cdoern cdoern self-assigned this Nov 7, 2022
@fpoirotte
Copy link
Contributor

Another option would be to use annotations to define the intended limits.
This way, the limits will be exported automatically when podman generate kube is invoked.
What do you think?

@paul-grozav
Copy link
Author

@fpoirotte , But that would only export/import the annotation, which can express the intention, but will not actually change container's limit, right? so I don't see how it would help

@fpoirotte
Copy link
Contributor

podman could parse the annotations when reading the manifest in podman play kube and convert them to the proper internal representation of ulimits.

This would allow for self-contained manifests (instead of having part of the configuration in the manifest, and the rest as command-line options to podman play kube).

@rhatdan
Copy link
Member

rhatdan commented Dec 12, 2022

We already do some of this with annotations now.

man podman-kube-play

...
Note: When playing a kube YAML with init containers, the init container
       will  be created with init type value once. To change the default type,
       use the io.podman.annotations.init.container.type annotation to set the
       type to always.
...
       Kubernetes PersistentVolumeClaims

       A  Kubernetes  PersistentVolumeClaim  represents a Podman named volume.
       Only the PersistentVolumeClaim name is required by Podman to  create  a
       volume. Kubernetes annotations can be used to make use of the available
       options for Podman volumes.

              • volume.podman.io/driver

              • volume.podman.io/device

              • volume.podman.io/type

              • volume.podman.io/uid

              • volume.podman.io/gid

              • volume.podman.io/mount-options

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@paul-grozav
Copy link
Author

paul-grozav commented Jan 12, 2023
edited

However I would still need a fix to this problem. I'm hoping that when @cdoern has some updates, he'll let us know 🤞 . Thank you !

@umohnani8 umohnani8 assigned umohnani8 and unassigned cdoern Jan 12, 2023
@umohnani8
Copy link
Member

I will get started on this next week.

@umohnani8 umohnani8 mentioned this issue Feb 6, 2023
Merged
@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 1, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 1, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@umohnani8 umohnani8

Labels
kind/feature Categorizes issue or PR as related to a new feature. kube locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add ulimit annotation to kube gen & play umohnani8/libpod
6 participants
@fpoirotte @rhatdan @vrothberg @paul-grozav @cdoern @umohnani8