2017-04-26 10:11:19 |
Christian Brauner |
bug |
|
|
added bug |
2017-04-26 10:11:19 |
Christian Brauner |
attachment added |
|
0001-main-improve-RLIMIT_NOFILE-handling-5795.patch https://bugs.launchpad.net/bugs/1686361/+attachment/4868175/+files/0001-main-improve-RLIMIT_NOFILE-handling-5795.patch |
|
2017-04-26 10:27:16 |
Dimitri John Ledkov |
systemd (Ubuntu): milestone |
|
ubuntu-17.05 |
|
2017-04-26 10:27:19 |
Dimitri John Ledkov |
systemd (Ubuntu): assignee |
|
Dimitri John Ledkov (xnox) |
|
2017-04-26 10:27:21 |
Dimitri John Ledkov |
systemd (Ubuntu): status |
New |
Confirmed |
|
2017-04-26 10:59:53 |
Christian Brauner |
bug |
|
|
added subscriber Stéphane Graber |
2017-04-26 11:52:30 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Zesty |
|
2017-04-26 11:52:30 |
Dimitri John Ledkov |
bug task added |
|
systemd (Ubuntu Zesty) |
|
2017-04-26 11:52:30 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Artful |
|
2017-04-26 11:52:30 |
Dimitri John Ledkov |
bug task added |
|
systemd (Ubuntu Artful) |
|
2017-04-26 11:52:30 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Xenial |
|
2017-04-26 11:52:30 |
Dimitri John Ledkov |
bug task added |
|
systemd (Ubuntu Xenial) |
|
2017-04-26 11:52:30 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Yakkety |
|
2017-04-26 11:52:30 |
Dimitri John Ledkov |
bug task added |
|
systemd (Ubuntu Yakkety) |
|
2017-04-26 12:32:20 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2017-04-26 12:32:27 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
2017-05-02 09:20:39 |
Dimitri John Ledkov |
systemd (Ubuntu Artful): status |
Confirmed |
Fix Committed |
|
2017-05-11 18:45:45 |
Launchpad Janitor |
systemd (Ubuntu Artful): status |
Fix Committed |
Fix Released |
|
2017-05-22 10:19:19 |
Dimitri John Ledkov |
systemd (Ubuntu Zesty): status |
New |
Fix Committed |
|
2017-05-22 10:19:22 |
Dimitri John Ledkov |
systemd (Ubuntu Zesty): importance |
Undecided |
Medium |
|
2017-05-22 10:19:24 |
Dimitri John Ledkov |
systemd (Ubuntu Zesty): assignee |
|
Dimitri John Ledkov (xnox) |
|
2017-05-22 10:19:26 |
Dimitri John Ledkov |
systemd (Ubuntu Zesty): milestone |
|
zesty-updates |
|
2017-06-07 16:09:20 |
Dimitri John Ledkov |
systemd (Ubuntu Zesty): status |
Fix Committed |
In Progress |
|
2017-06-07 21:14:51 |
Dimitri John Ledkov |
description |
When systemd currently starts in a container that has RLIMIT_NOFILE set to e.g.
100000 systemd will lower it to 65536 since this value is hard-coded into systemd.
I've pushed a patch to systemd upstream that will try to set
the nofile limit to the allowed kernel maximum. If this fails, it will compute
the minimum of the current set value (the limit that is set on the container)
and the maximum value as soft limit and the currently set maximum value as the
maximum value. This way it retains the limit set on the container.
It would be great if we could backport this patch to have system adhere to
nofile limits set for the container. This is especially important since user
namespaces will allow you to lower the limit but not raise it back up afterwards.
The upstream patch is appended. |
[Impact]
* Containers cannot use maximum RLIMIT_NOFILE, because systemd sets an arbitrary cap.
[Test Case]
* Start container with high RLIMIT_NOFILE (e.g. 100 000)
* Check that RLIMIT_NOFILE on the container is more than 65536
[Regression Potential]
* This is a feature / change of behaviour. Some users may be relying on the lower RLIMIT_NOFILE cap, but it should not have a negative impact on the host (as in creating too many file descriptors/denial of service).
[Original Bug Report]
When systemd currently starts in a container that has RLIMIT_NOFILE set to e.g.
100000 systemd will lower it to 65536 since this value is hard-coded into systemd.
I've pushed a patch to systemd upstream that will try to set
the nofile limit to the allowed kernel maximum. If this fails, it will compute
the minimum of the current set value (the limit that is set on the container)
and the maximum value as soft limit and the currently set maximum value as the
maximum value. This way it retains the limit set on the container.
It would be great if we could backport this patch to have system adhere to
nofile limits set for the container. This is especially important since user
namespaces will allow you to lower the limit but not raise it back up afterwards.
The upstream patch is appended. |
|
2017-06-12 21:28:51 |
Brian Murray |
systemd (Ubuntu Zesty): status |
In Progress |
Fix Committed |
|
2017-06-12 21:28:54 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-06-12 21:28:56 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2017-06-12 21:29:00 |
Brian Murray |
tags |
patch |
patch verification-needed |
|
2017-06-19 13:38:15 |
Dimitri John Ledkov |
tags |
patch verification-needed |
patch verification-done |
|
2017-06-19 13:39:13 |
Dimitri John Ledkov |
tags |
patch verification-done |
patch verification-done verification-done-zesty |
|
2017-06-23 03:37:41 |
Launchpad Janitor |
systemd (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
2017-06-23 03:38:03 |
Steve Langasek |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2017-07-04 09:10:22 |
Dimitri John Ledkov |
systemd (Ubuntu Xenial): milestone |
|
ubuntu-16.04.3 |
|
2017-07-04 09:52:13 |
Dimitri John Ledkov |
systemd (Ubuntu Yakkety): status |
New |
In Progress |
|
2017-07-10 15:33:00 |
Łukasz Zemczak |
systemd (Ubuntu Xenial): status |
New |
Fix Committed |
|
2017-07-10 15:33:01 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-07-10 15:33:08 |
Łukasz Zemczak |
tags |
patch verification-done verification-done-zesty |
patch verification-done-zesty verification-needed verification-needed-xenial |
|
2017-07-12 14:05:43 |
Dimitri John Ledkov |
tags |
patch verification-done-zesty verification-needed verification-needed-xenial |
patch verification-done verification-done-xenial verification-done-zesty |
|
2017-07-18 23:34:11 |
Adam Conrad |
tags |
patch verification-done verification-done-xenial verification-done-zesty |
patch verification-done-zesty verification-needed verification-needed-xenial |
|
2017-07-20 14:06:50 |
Dimitri John Ledkov |
tags |
patch verification-done-zesty verification-needed verification-needed-xenial |
patch verification-done verification-done-xenial verification-done-zesty |
|
2017-07-20 23:43:25 |
Launchpad Janitor |
systemd (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2017-07-20 23:43:25 |
Launchpad Janitor |
cve linked |
|
2017-9445 |
|
2017-07-21 09:22:32 |
Dimitri John Ledkov |
bug task deleted |
systemd (Ubuntu Yakkety) |
|
|