userns-remap:: user namespace does not isolate user limits

[arno01]

Description

The user namespace does not isolate user limits.
Is this a current cgroups limitation?

Steps to reproduce the issue:

1. prepare /etc/subuid and /etc/subgid files with the following line:

dockremap:100000:65535

1. launch dockerd with --userns-remap=default argument
2. launch containerA:
   • create a user (uid: 700 [will get remapped to 100700])
   • run 7 daemon-processes under that user
3. launch containerB:
   • set ulimit -n 7
   • create a user (uid: 700 [will get remapped to 100700])
   • try running at least 1 process under that user

Describe the results you received:

[containerB] The processes can't spawn due to a user limit:

bash: fork: retry: No child processes
bash: fork: Resource temporarily unavailable

Describe the results you expected:

[containerB] The processes should be normally running (up to 7 processes)

Output of docker version:

Client:
 Version:      1.12.2
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   bb80604
 Built:        
 OS/Arch:      linux/amd64

Server:
 Version:      1.12.2
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   bb80604
 Built:        
 OS/Arch:      linux/amd64

Output of docker info:

Containers: 2
 Running: 2
 Paused: 0
 Stopped: 0
Images: 3
Server Version: 1.12.2
Storage Driver: overlay
 Backing Filesystem: xfs
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: overlay bridge host null
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.7.7
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 992.4 MiB
Name: localhost.localdomain
ID: RHMN:4NGR:JZDO:CXJH:AVDQ:CVF7:L2QG:FE6T:K7NB:LTTE:SANY:4GP4
Docker Root Dir: /var/lib/docker/100000.100000
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
 127.0.0.0/8

Additional environment details (AWS, VirtualBox, physical, etc.):

• qemu-kvm
• Running Linux kernel 4.7.7

[justincormack]

Cc @estesp interesting issue...

On 17 Oct 2016 12:53 p.m., "Andrey Arapov" notifications@github.com wrote:

Description

The user namespace does not isolate user limits.
Is this a current cgroups limitation?

Steps to reproduce the issue:

1. prepare /etc/subuid and /etc/subgid files with the following line:

dockremap:100000:65535

launch dockerd with --userns-remap=default argument
2.

launch containerA:

• create a user (uid: 700 [will get remapped to 100700])

  • run 7 daemon-processes under that user
    3.

  launch containerB:

• set ulimit -n 7

  • create a user (uid: 700 [will get remapped to 100700])
  • try running at least 1 process under that user

Describe the results you received:

The processes can't spawn due to a user limit:

bash: fork: retry: No child processes
bash: fork: Resource temporarily unavailable

Describe the results you expected:

The processes should be normally running (up to 7 processes)

Output of docker version:

Client:
Version: 1.12.2
API version: 1.24
Go version: go1.6.3
Git commit: bb80604
Built:
OS/Arch: linux/amd64

Server:
Version: 1.12.2
API version: 1.24
Go version: go1.6.3
Git commit: bb80604
Built:
OS/Arch: linux/amd64

Output of docker info:

Containers: 2
Running: 2
Paused: 0
Stopped: 0
Images: 3
Server Version: 1.12.2
Storage Driver: overlay
Backing Filesystem: xfs
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: overlay bridge host null
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.7.7
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 992.4 MiB
Name: localhost.localdomain
ID: RHMN:4NGR:JZDO:CXJH:AVDQ:CVF7:L2QG:FE6T:K7NB:LTTE:SANY:4GP4
Docker Root Dir: /var/lib/docker/100000.100000
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
127.0.0.0/8

Additional environment details (AWS, VirtualBox, physical, etc.):

qemu-kvm

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#27444, or mute the thread
https://github.com/notifications/unsubscribe-auth/AAdcPNJDnuIcpxGcSonTg638-bDv0QB7ks5q02G2gaJpZM4KYiKu
.

[estesp]

The underlying issue is that the ulimits controls are not namespaced. For the limit you are talking about, NPROC, it is only related to the number of processes (threads) for the real user as understood by the kernel, without any awareness of user namespaces. That would have to be an upstream Linux kernel discussion to attempt to change that current behavior.

If you want a more granular approach to per-container process limits, and are able to use a host with Linux kernel 4.3 or above, the more recent --pids-limit capability is maybe a good alternative. This support came in PR #18697 and is part of Docker 1.11 and above releases.

[justincormack]

Ah yes that makes sense. It is not specific to user namespaces either. Using the --pids-limit seems the best solution.

Closing as working as intended, even if a bit unexpected. (Feel free to continue conversation).

[estesp]

Interesting that this patch (re: namespacing the nproc limits per user/userns) just showed up on the containers linux mailing list--linking here for posterity as others may find this issue in the future: https://lists.linuxfoundation.org/pipermail/containers/2016-October/037599.html

[arno01]

That's really interesting, thanks for sharing this link here :-)