systemd does not respect nofile ulimit when running in container

Bug #1686361 reported by Christian Brauner on 2017-04-26
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Undecided
Dimitri John Ledkov
Xenial
Undecided
Unassigned
Zesty
Medium
Dimitri John Ledkov
Artful
Undecided
Dimitri John Ledkov

Bug Description

[Impact]

 * Containers cannot use maximum RLIMIT_NOFILE, because systemd sets an arbitrary cap.

[Test Case]

 * Start container with high RLIMIT_NOFILE (e.g. 100 000)
 * Check that RLIMIT_NOFILE on the container is more than 65536

[Regression Potential]

 * This is a feature / change of behaviour. Some users may be relying on the lower RLIMIT_NOFILE cap, but it should not have a negative impact on the host (as in creating too many file descriptors/denial of service).

[Original Bug Report]

When systemd currently starts in a container that has RLIMIT_NOFILE set to e.g.
100000 systemd will lower it to 65536 since this value is hard-coded into systemd.
I've pushed a patch to systemd upstream that will try to set
the nofile limit to the allowed kernel maximum. If this fails, it will compute
the minimum of the current set value (the limit that is set on the container)
and the maximum value as soft limit and the currently set maximum value as the
maximum value. This way it retains the limit set on the container.
It would be great if we could backport this patch to have system adhere to
nofile limits set for the container. This is especially important since user
namespaces will allow you to lower the limit but not raise it back up afterwards.
The upstream patch is appended.

CVE References

Changed in systemd (Ubuntu):
milestone: none → ubuntu-17.05
assignee: nobody → Dimitri John Ledkov (xnox)
status: New → Confirmed

Would be good if we could also SRU that to Xenial as well since this is
likely what users will be using most of the time as image in their
container. Adding stgraber to this thread.

The attachment "0001-main-improve-RLIMIT_NOFILE-handling-5795.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Changed in systemd (Ubuntu Artful):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (3.2 KiB)

This bug was fixed in the package systemd - 233-6ubuntu1

---------------
systemd (233-6ubuntu1) artful; urgency=medium

  Merge from Debian, existing changes:
  * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x.
    New udev generates stable interface names on s390x kvm instances, however, upon
    upgrades existing ethX names should be preserved to prevent breaking networking
    and software configurations.
    This patch only affects Ubuntu systems. (Closes: #860246) (LP: #1682437)
  * TEST-12: cherry-pick upstream fix for compat with new netcat-openbsd.
  * networkd: cherry-pick support for setting bridge port's priority.
    This is a useful feature/bugfix to improve feature parity of networkd with
    ifupdown. This matches netplan's expectations to be able to set bridge port's
    priorities via networked. This featue is to be used by netplan/MAAS/OpenStack.

  New changes:
  * Cherrypick upstream commit to enable system use kernel maximum limit for
    RLIMIT_NOFILE isntead of hard-coded (low) limit of 65536. (LP: #1686361)
  * debian/tests/root-unittests: disable execute and seccomp tests on arm
    test-seccomp and test-execute fail on arm64 kernels. Marking both tests as
    expected failures. An upstream bug report is filed to resolve these.
    (LP: #1672499)

systemd (233-6) experimental; urgency=medium

  [ Felipe Sateler ]
  * Backport upstream PR #5531.
    This delays opening the mdns and llmnr sockets until a network has enabled
    them. This silences annoying messages when networkd receives such packets
    without expecting them: Got mDNS UDP packet on unknown scope.

  [ Martin Pitt ]
  * resolved: Disable DNSSEC by default on stretch and zesty.
    Both Debian stretch and Ubuntu zesty are close to releasing, switch to
    DNSSEC=off by default for those. Users can still turn it back on with
    DNSSEC=allow-downgrade (or even "yes").

  [ Michael Biebl ]
  * Add Conflicts against hal.
    Since v183, udev no longer supports RUN+="socket:". This feature is
    still used by hal, but now generates vast amounts of errors in the
    journal. Thus force the removal of hal by adding a Conflicts to the udev
    package. This is safe, as hal is long dead and no longer useful.
  * Drop systemd-ui Suggests
    systemd-ui is unmaintained upstream and not particularly useful anymore.
  * journal: fix up syslog facility when forwarding native messages.
    Native journal messages (_TRANSPORT=journal) typically don't have a
    syslog facility attached to it. As a result when forwarding the
    messages to syslog they ended up with facility 0 (LOG_KERN).
    Apply syslog_fixup_facility() so we use LOG_USER instead.
    (Closes: #837893)
  * Split upstream tests into systemd-tests binary package (Closes: #859152)
  * Get PACKAGE_VERSION from config.h.
    This also works with meson and is not autotools specific.

  [ Sjoerd Simons ]
  * init-functions Only call daemon-reload when planning to redirect
    systemctl daemon-reload is a quite a heavy operation, it will re-parse
    all configuration and re-run all generators. This should only be done
    when strictly needed. (Closes: #861158)

 -- Dimitri ...

Read more...

Changed in systemd (Ubuntu Artful):
status: Fix Committed → Fix Released
Changed in systemd (Ubuntu Zesty):
status: New → Fix Committed
importance: Undecided → Medium
assignee: nobody → Dimitri John Ledkov (xnox)
milestone: none → zesty-updates
Łukasz Zemczak (sil2100) wrote :

Thank you for uploading this stable release update! To ease the SRU review process and later package validation, could you please update the bug description to include the relevant SRU information [1]?

[1] https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template

Changed in systemd (Ubuntu Zesty):
status: Fix Committed → In Progress
description: updated

Hello Christian, or anyone else affected,

Accepted systemd into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/232-21ubuntu4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in systemd (Ubuntu Zesty):
status: In Progress → Fix Committed
tags: added: verification-needed
Dimitri John Ledkov (xnox) wrote :

Installed zesty virtual machine, and configured to have 1048576 nofile hard limit, verified with prlimit command.

Configured and launched lxd i386 zesty container, the prlimit had hard limit of 65536.

Upgraded systemd in the container to 232-21ubuntu4, restarted the container, and it now has 1048576 hard limit as expected.

tags: added: verification-done
removed: verification-needed
tags: added: verification-done-zesty
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 232-21ubuntu4

---------------
systemd (232-21ubuntu4) zesty; urgency=medium

  * Cherrypick upstream commit to enable system use kernel maximum limit for
    RLIMIT_NOFILE isntead of hard-coded (low) limit of 65536. (LP: #1686361)
  * debian/tests/root-unittests: disable execute and seccomp tests on arm
    test-seccomp and test-execute fail on arm64 kernels. Marking both tests as
    expected failures. An upstream bug report is filed to resolve these.
    (LP: #1672499)
  * Cherrypick upstream patch for platform predictable interface names.
    (LP: #1686784)
  * resolved: fix null pointer dereference crash (LP: #1621396)
  * Cherrypick core/timer downgrade message about random time addition
    (LP: #1692136)

 -- Dimitri John Ledkov <email address hidden> Wed, 24 May 2017 16:26:16 +0100

Changed in systemd (Ubuntu Zesty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for systemd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Changed in systemd (Ubuntu Xenial):
milestone: none → ubuntu-16.04.3
Changed in systemd (Ubuntu Yakkety):
status: New → In Progress

Hello Christian, or anyone else affected,

Accepted systemd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu18 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in systemd (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial
removed: verification-done
Dimitri John Ledkov (xnox) wrote :

Adjusted hard and soft nofile limits on the host to 100000, launched container and observed lower nofile limits in prlimit. Upgraded systemd in the container from 229-4ubuntu17 to 229-4ubuntu18. Rebooted the container and observed much higher nofile limits.

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Adam Conrad (adconrad) wrote :

Hello Christian, or anyone else affected,

Accepted systemd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu19 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed verification-needed-xenial
removed: verification-done verification-done-xenial
Dimitri John Ledkov (xnox) wrote :

Upgrading previously verified container from 229-4ubuntu18 to 229-4-ubuntu19, the container after rebuild still has observed much higher nofile limits / not arbitrarily limited.

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 229-4ubuntu19

---------------
systemd (229-4ubuntu19) xenial; urgency=medium

  * debian/extra/units/systemd-resolved.service.d/resolvconf.conf: partially
    revert, by removing ExecStart|StopPost lines, as these are not needed on
    xenial and generate warnings in the journal. (LP: #1704677)

systemd (229-4ubuntu18) xenial; urgency=medium

  * debian/extra/units/systemd-resolved.service.d/resolvconf.conf: if resolved
    is going to be started, make sure this blocks network-online.target.
    (LP: #1673860)
  * networkd: cherry-pick support for setting bridge port's priority
    (LP: #1668347)
  * Cherrypick upstream commit to enable system use kernel maximum limit for
    RLIMIT_NOFILE isntead of hard-coded (low) limit of 65536. (LP: #1686361)
  * Cherrypick upstream patch for platform predictable interface names.
    (LP: #1686784)
  * resolved: fix null pointer dereference crash (LP: #1621396)
  * Cherrypick core/timer downgrade message about random time addition
    (LP: #1692136)
  * SECURITY UPDATE: Out-of-bounds write in systemd-resolved (LP: #1695546)
    - CVE-2017-9445
  * Cherry-pick subset of patches to introduce infinity value in logind.conf
    for UserTasksMax (LP: #1651518)

 -- Dimitri John Ledkov <email address hidden> Mon, 17 Jul 2017 17:00:42 +0100

Changed in systemd (Ubuntu Xenial):
status: Fix Committed → Fix Released
no longer affects: systemd (Ubuntu Yakkety)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers