Re: pid 1 memlock setting configurable?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Do, 23.05.19 07:32, Kees Bos (cornelis.bos@xxxxxxxxx) wrote:

> Hi all,
>
> I couldn't find it with google, and before digging in the code just a
> quick question. Probably someone knows it in the top of h(is|er)
> head...
>
> It seems that systemd drops rlimit_memlock on startup. Correct? And if
> so, is it configurable?

No. It actually raises it to 64M if it can:

https://github.com/systemd/systemd/blob/master/src/core/main.c#L1380

Before doing so it will save the original setting though and that's
what it tries to pass to services invoked as default too. Thus,
RLIMIT_MEMLOCK should really just be bumped for PID 1 itself, and only
if privileges allow.

> Explanation for the question:
> In an unprivileged container I can set the memlock config lower than
> 16MB (16777216 bytes), but not higher. That is, i can configure it, but
> effectively the systemd process (pid 1) will never have a limit higher
> than 16MB. Since it's an unprivileged container (and thus a fake 'root'
> user), that limit also becomes the max for all spawned processes
> (including services).

I am not sure how precisely rlimits are affected by userns, but I'd
guess you can't set rlimits higher in it than what they are set in the
lowest process outside of the userns, but I don't really know...

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux