← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1686361] Re: systemd does not respect nofile ulimit when running in container

 

This bug was fixed in the package systemd - 229-4ubuntu19

---------------
systemd (229-4ubuntu19) xenial; urgency=medium

  * debian/extra/units/systemd-resolved.service.d/resolvconf.conf: partially
    revert, by removing ExecStart|StopPost lines, as these are not needed on
    xenial and generate warnings in the journal. (LP: #1704677)

systemd (229-4ubuntu18) xenial; urgency=medium

  * debian/extra/units/systemd-resolved.service.d/resolvconf.conf: if resolved
    is going to be started, make sure this blocks network-online.target.
    (LP: #1673860)
  * networkd: cherry-pick support for setting bridge port's priority
    (LP: #1668347)
  * Cherrypick upstream commit to enable system use kernel maximum limit for
    RLIMIT_NOFILE isntead of hard-coded (low) limit of 65536. (LP: #1686361)
  * Cherrypick upstream patch for platform predictable interface names.
    (LP: #1686784)
  * resolved: fix null pointer dereference crash (LP: #1621396)
  * Cherrypick core/timer downgrade message about random time addition
    (LP: #1692136)
  * SECURITY UPDATE: Out-of-bounds write in systemd-resolved (LP: #1695546)
    - CVE-2017-9445
  * Cherry-pick subset of patches to introduce infinity value in logind.conf
    for UserTasksMax (LP: #1651518)

 -- Dimitri John Ledkov <xnox@xxxxxxxxxx>  Mon, 17 Jul 2017 17:00:42
+0100

** Changed in: systemd (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9445

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1686361

Title:
  systemd does not respect nofile ulimit when running in container

Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Xenial:
  Fix Released
Status in systemd source package in Yakkety:
  In Progress
Status in systemd source package in Zesty:
  Fix Released
Status in systemd source package in Artful:
  Fix Released

Bug description:
  [Impact]

   * Containers cannot use maximum RLIMIT_NOFILE, because systemd sets
  an arbitrary cap.

  [Test Case]

   * Start container with high RLIMIT_NOFILE (e.g. 100 000)
   * Check that RLIMIT_NOFILE on the container is more than 65536

  [Regression Potential]

   * This is a feature / change of behaviour. Some users may be relying
  on the lower RLIMIT_NOFILE cap, but it should not have a negative
  impact on the host (as in creating too many file descriptors/denial of
  service).

  [Original Bug Report]

  When systemd currently starts in a container that has RLIMIT_NOFILE set to e.g.
  100000 systemd will lower it to 65536 since this value is hard-coded into systemd.
  I've pushed a patch to systemd upstream that will try to set
  the nofile limit to the allowed kernel maximum. If this fails, it will compute
  the minimum of the current set value (the limit that is set on the container)
  and the maximum value as soft limit and the currently set maximum value as the
  maximum value. This way it retains the limit set on the container.
  It would be great if we could backport this patch to have system adhere to
  nofile limits set for the container. This is especially important since user
  namespaces will allow you to lower the limit but not raise it back up afterwards.
  The upstream patch is appended.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1686361/+subscriptions