nspawn: bump RLIMIT_NOFILE for nspawn payload similar to how host PID 1 does it for...

We try to pass containers roughly the same rlimits as the host gets from
the kernel. However, this means we'd set the RLIMIT_NOFILE to 4K. Which
is quite limiting though, and is something we actually departed from in
PID1: since 52d620757817bc0fa7de3ddbe43024544ced7ea0 we raise the limit
substantially for all userspace.

Given that nspawn is quite often invoked without proper PID1, let's raise the
limits for container payloads the same way as we do from the real PID1
to its service payloads.

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 7dbc84369b54e44826efb781ddfc0580b18e6eac..d133ca7be39842408ef06acf8a96116c868bb8e0 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -5330,6 +5330,15 @@ static int initialize_rlimits(void) {
                                 if (prlimit(1, rl, NULL, &buffer) < 0)
                                         return log_error_errno(errno, "Failed to read resource limit RLIMIT_%s of PID 1: %m", rlimit_to_string(rl));
 
+                                v = &buffer;
+                        } else if (rl == RLIMIT_NOFILE) {
+                                /* We nowadays bump RLIMIT_NOFILE's hard limit early in PID 1 for all
+                                 * userspace. Given that nspawn containers are often run without our PID 1,
+                                 * let's grant the containers a raised RLIMIT_NOFILE hard limit by default,
+                                 * so that container userspace gets similar resources as host userspace
+                                 * gets. */
+                                buffer = kernel_defaults[rl];
+                                buffer.rlim_max = MIN((rlim_t) read_nr_open(), (rlim_t) HIGH_RLIMIT_NOFILE);
                                 v = &buffer;
                         } else
                                 v = kernel_defaults + rl;