From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 13 Oct 2021 10:18:41 +0000 (+0100)
Subject: nspawn: Copy RLIMIT_CORE and RLIMIT_NOFILE in non-booted nspawn containers
X-Git-Tag: v11~26
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=784ccb7d979e752188b43a0ca1ca115145619cdf;p=thirdparty%2Fmkosi.git

nspawn: Copy RLIMIT_CORE and RLIMIT_NOFILE in non-booted nspawn containers

Avoid surprises by copying open files and coredump limits from the user
running mkosi. Most noteably, this makes sure core dumps in non-booted
mkosi containers actually end up on the host as previously the coredump
size limit was zero in non-booted mkosi nspawn containers which led to
no coredumps being generated at all on the host of processes that dumped
core in the build containers (e.g. tests that raise SIGABRT).
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 4c6702015..308218c5f 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -78,6 +78,7 @@ from .backend import (
     die,
     install_grub,
     nspawn_params_for_blockdev_access,
+    nspawn_rlimit_params,
     patch_file,
     path_relative_to_cwd,
     run,
@@ -6841,6 +6842,7 @@ def run_build_script(args: CommandLineArguments, root: Path, raw: Optional[Binar
             f"--setenv=WITH_TESTS={one_zero(args.with_tests)}",
             f"--setenv=WITH_NETWORK={with_network}",
             "--setenv=DESTDIR=/root/dest",
+            *nspawn_rlimit_params(),
         ]
 
         cmdline.extend(f"--setenv={env}" for env in args.environment)
@@ -7115,6 +7117,8 @@ def run_shell(args: CommandLineArguments) -> None:
 
     if args.verb == "boot":
         cmdline += ["--boot"]
+    else:
+        cmdline += nspawn_rlimit_params()
 
     if is_generated_root(args) or args.verity:
         cmdline += ["--volatile=overlay"]
diff --git a/mkosi/backend.py b/mkosi/backend.py
index 372cb7cac..8246e496b 100644
--- a/mkosi/backend.py
+++ b/mkosi/backend.py
@@ -8,6 +8,7 @@ import dataclasses
 import enum
 import math
 import os
+import resource
 import shlex
 import shutil
 import signal
@@ -547,6 +548,20 @@ def nspawn_params_for_blockdev_access(args: CommandLineArguments, loopdev: Path)
     return params
 
 
+def format_rlimit(rlimit: int) -> str:
+        limits = resource.getrlimit(rlimit)
+        soft = "infinity" if limits[0] == resource.RLIM_INFINITY else str(limits[0])
+        hard = "infinity" if limits[1] == resource.RLIM_INFINITY else str(limits[1])
+        return f"{soft}:{hard}"
+
+
+def nspawn_rlimit_params() -> Sequence[str]:
+    return [
+        f"--rlimit=RLIMIT_CORE={format_rlimit(resource.RLIMIT_CORE)}",
+        f"--rlimit=RLIMIT_NOFILE={format_rlimit(resource.RLIMIT_NOFILE)}",
+    ]
+
+
 def run_workspace_command(
     args: CommandLineArguments,
     root: Path,
@@ -565,6 +580,7 @@ def run_workspace_command(
         "--register=no",
         f"--bind={var_tmp(root)}:/var/tmp",
         "--setenv=SYSTEMD_OFFLINE=1",
+        *nspawn_rlimit_params(),
     ]
 
     if network: