*: use rlimit.RemoveMemlock() for setting RLIM_INFINITY

Clean up the wide variety of ways in which memlock was bumped to infinity.

On newer kernels with memcg accounting, this becomes a no-op as it's no
longer necessary to bump the rlimit.

Lowering the limit after e.g. a test suite or map creation is no longer done
as there's arguably little point in doing so given the limit only applies to
the current process and the getting/setting is inherently racy.

Signed-off-by: Timo Beckers <timo@isovalent.com>

bpf/tests/prog_test/prog_test.go

@@ -17,12 +17,13 @@ import (
 	"reflect"
 	"testing"
 
-	"github.com/cilium/ebpf"
-	"github.com/cilium/ebpf/perf"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
+
+	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/perf"
+	"github.com/cilium/ebpf/rlimit"
 
 	"github.com/cilium/cilium/pkg/bpf"
 	"github.com/cilium/cilium/pkg/byteorder"
@@ -390,11 +391,7 @@ func TestCt(t *testing.T) {
 }
 
 func TestMain(m *testing.M) {
-	lim := unix.Rlimit{
-		Cur: unix.RLIM_INFINITY,
-		Max: unix.RLIM_INFINITY,
-	}
-	if err := unix.Setrlimit(unix.RLIMIT_MEMLOCK, &lim); err != nil {
+	if err := rlimit.RemoveMemlock(); err != nil {
 		logrus.Fatalf("setrlimit: %v", err)
 	}
 	os.Exit(m.Run())

daemon/cmd/daemon.go

@@ -17,11 +17,12 @@ import (
 	"github.com/vishvananda/netlink"
 	"golang.org/x/sync/semaphore"
 
+	"github.com/cilium/ebpf/rlimit"
+
 	"github.com/cilium/cilium/api/v1/models"
 	health "github.com/cilium/cilium/cilium-health/launch"
 	"github.com/cilium/cilium/pkg/bandwidth"
 	"github.com/cilium/cilium/pkg/bgp/speaker"
-	"github.com/cilium/cilium/pkg/bpf"
 	"github.com/cilium/cilium/pkg/cidr"
 	"github.com/cilium/cilium/pkg/clustermesh"
 	"github.com/cilium/cilium/pkg/controller"
@@ -393,7 +394,7 @@ func NewDaemon(ctx context.Context, cancel context.CancelFunc, epMgr *endpointma
 	})
 
 	if option.Config.DryMode == false {
-		if err := bpf.ConfigureResourceLimits(); err != nil {
+		if err := rlimit.RemoveMemlock(); err != nil {
 			return nil, nil, fmt.Errorf("unable to set memory resource limits: %w", err)
 		}
 	}

pkg/bpf/bpf_linux.go

@@ -18,6 +18,8 @@ import (
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 
+	"github.com/cilium/ebpf/rlimit"
+
 	"github.com/cilium/cilium/pkg/logging/logfields"
 	"github.com/cilium/cilium/pkg/metrics"
 	"github.com/cilium/cilium/pkg/option"
@@ -612,7 +614,6 @@ type bpfAttachProg struct {
 // whether it succeeds in doing so. This can be used to bail out early
 // in the daemon when a given type is not supported.
 func TestDummyProg(progType ProgType, attachType uint32) error {
-	var oldLim unix.Rlimit
 	insns := []byte{
 		// R0 = 1; EXIT
 		0xb7, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
@@ -626,22 +627,13 @@ func TestDummyProg(progType ProgType, attachType uint32) error {
 		Insns:      uintptr(unsafe.Pointer(&insns[0])),
 		License:    uintptr(unsafe.Pointer(&license[0])),
 	}
-	tmpLim := unix.Rlimit{
-		Cur: unix.RLIM_INFINITY,
-		Max: unix.RLIM_INFINITY,
-	}
-	err := unix.Getrlimit(unix.RLIMIT_MEMLOCK, &oldLim)
-	if err != nil {
-		return err
-	}
-	err = unix.Setrlimit(unix.RLIMIT_MEMLOCK, &tmpLim)
-	if err != nil {
+	if err := rlimit.RemoveMemlock(); err != nil {
 		return err
 	}
 	fd, _, errno := unix.Syscall(unix.SYS_BPF, BPF_PROG_LOAD,
 		uintptr(unsafe.Pointer(&bpfAttr)),
 		unsafe.Sizeof(bpfAttr))
-	unix.Setrlimit(unix.RLIMIT_MEMLOCK, &oldLim)
+
 	if errno == 0 {
 		defer unix.Close(int(fd))
 		bpfAttr := bpfAttachProg{

pkg/bpf/map_linux_test.go

@@ -18,6 +18,8 @@ import (
 
 	. "gopkg.in/check.v1"
 
+	"github.com/cilium/ebpf/rlimit"
+
 	"github.com/cilium/cilium/pkg/checker"
 	"github.com/cilium/cilium/pkg/datapath/linux/probes"
 )
@@ -63,7 +65,7 @@ var (
 
 func runTests(m *testing.M) (int, error) {
 	CheckOrMountFS("")
-	if err := ConfigureResourceLimits(); err != nil {
+	if err := rlimit.RemoveMemlock(); err != nil {
 		return 1, fmt.Errorf("Failed to configure rlimit")
 	}
 

pkg/datapath/connector/ipvlan.go

@@ -6,12 +6,13 @@ package connector
 import (
 	"fmt"
 
-	"github.com/cilium/ebpf"
-	"github.com/cilium/ebpf/asm"
 	"github.com/containernetworking/plugins/pkg/ns"
 	"github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink"
-	"golang.org/x/sys/unix"
+
+	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/asm"
+	"github.com/cilium/ebpf/rlimit"
 
 	"github.com/cilium/cilium/api/v1/models"
 	"github.com/cilium/cilium/pkg/datapath/link"
@@ -35,13 +36,7 @@ func getEntryProgInstructions(fd int) asm.Instructions {
 // NB: Do not close the returned map before it has been pinned. Otherwise,
 // the map will be destroyed.
 func setupIpvlanInRemoteNs(netNs ns.NetNS, srcIfName, dstIfName string) (*ebpf.Map, error) {
-	rl := unix.Rlimit{
-		Cur: unix.RLIM_INFINITY,
-		Max: unix.RLIM_INFINITY,
-	}
-
-	err := unix.Setrlimit(unix.RLIMIT_MEMLOCK, &rl)
-	if err != nil {
+	if err := rlimit.RemoveMemlock(); err != nil {
 		return nil, fmt.Errorf("unable to increase rlimit: %s", err)
 	}
 

pkg/datapath/linux/config/config_test.go

@@ -17,7 +17,8 @@ import (
 	"github.com/vishvananda/netlink"
 	. "gopkg.in/check.v1"
 
-	"github.com/cilium/cilium/pkg/bpf"
+	"github.com/cilium/ebpf/rlimit"
+
 	"github.com/cilium/cilium/pkg/datapath"
 	"github.com/cilium/cilium/pkg/datapath/loader"
 	"github.com/cilium/cilium/pkg/maps/ctmap"
@@ -47,7 +48,7 @@ func (s *ConfigSuite) SetUpSuite(c *C) {
 }
 
 func (s *ConfigSuite) SetUpTest(c *C) {
-	err := bpf.ConfigureResourceLimits()
+	err := rlimit.RemoveMemlock()
 	c.Assert(err, IsNil)
 	node.InitDefaultPrefix("")
 	node.SetInternalIPv4Router(ipv4DummyAddr)

pkg/datapath/linux/ipsec/ipsec_linux_test.go

@@ -15,7 +15,8 @@ import (
 	"github.com/vishvananda/netlink"
 	. "gopkg.in/check.v1"
 
-	"github.com/cilium/cilium/pkg/bpf"
+	"github.com/cilium/ebpf/rlimit"
+
 	"github.com/cilium/cilium/pkg/datapath/linux/linux_defaults"
 )
 
@@ -34,7 +35,7 @@ var (
 )
 
 func (p *IPSecSuitePrivileged) SetUpTest(c *C) {
-	err := bpf.ConfigureResourceLimits()
+	err := rlimit.RemoveMemlock()
 	c.Assert(err, IsNil)
 }
 

pkg/datapath/linux/node_linux_test.go

@@ -20,7 +20,8 @@ import (
 	"github.com/vishvananda/netlink"
 	"gopkg.in/check.v1"
 
-	"github.com/cilium/cilium/pkg/bpf"
+	"github.com/cilium/ebpf/rlimit"
+
 	"github.com/cilium/cilium/pkg/cidr"
 	"github.com/cilium/cilium/pkg/datapath"
 	"github.com/cilium/cilium/pkg/datapath/fake"
@@ -73,7 +74,7 @@ const (
 )
 
 func (s *linuxPrivilegedBaseTestSuite) SetUpTest(c *check.C, addressing datapath.NodeAddressing, enableIPv6, enableIPv4 bool) {
-	bpf.ConfigureResourceLimits()
+	rlimit.RemoveMemlock()
 	s.nodeAddressing = addressing
 	s.mtuConfig = mtu.NewConfiguration(0, false, false, false, 1500, nil)
 	s.enableIPv6 = enableIPv6

pkg/datapath/loader/loader_test.go

@@ -18,7 +18,8 @@ import (
 	"github.com/vishvananda/netlink"
 	. "gopkg.in/check.v1"
 
-	"github.com/cilium/cilium/pkg/bpf"
+	"github.com/cilium/ebpf/rlimit"
+
 	"github.com/cilium/cilium/pkg/datapath/linux/config"
 	"github.com/cilium/cilium/pkg/datapath/loader/metrics"
 	datapathOption "github.com/cilium/cilium/pkg/datapath/option"
@@ -61,7 +62,7 @@ func (s *LoaderTestSuite) SetUpSuite(c *C) {
 		fmt.Sprintf("-I%s", filepath.Join(bpfDir, "include")),
 	})
 
-	err := bpf.ConfigureResourceLimits()
+	err := rlimit.RemoveMemlock()
 	c.Assert(err, IsNil)
 	sourceFile := filepath.Join(bpfDir, endpointProg)
 	err = os.Symlink(sourceFile, endpointProg)

pkg/egressgateway/manager_privileged_test.go

@@ -14,6 +14,8 @@ import (
 	. "gopkg.in/check.v1"
 	"k8s.io/apimachinery/pkg/types"
 
+	"github.com/cilium/ebpf/rlimit"
+
 	"github.com/cilium/cilium/pkg/bpf"
 	v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
 	slimv1 "github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1"
@@ -78,7 +80,7 @@ func Test(t *testing.T) {
 
 func (k *EgressGatewayTestSuite) SetUpSuite(c *C) {
 	bpf.CheckOrMountFS("")
-	err := bpf.ConfigureResourceLimits()
+	err := rlimit.RemoveMemlock()
 	c.Assert(err, IsNil)
 
 	option.Config.EnableIPv4EgressGateway = true

pkg/maps/ctmap/ctmap_privileged_test.go

@@ -12,6 +12,8 @@ import (
 
 	. "gopkg.in/check.v1"
 
+	"github.com/cilium/ebpf/rlimit"
+
 	"github.com/cilium/cilium/pkg/bpf"
 	"github.com/cilium/cilium/pkg/maps/nat"
 	"github.com/cilium/cilium/pkg/option"
@@ -35,7 +37,7 @@ func Test(t *testing.T) {
 
 func (k *CTMapTestSuite) SetUpSuite(c *C) {
 	bpf.CheckOrMountFS("")
-	err := bpf.ConfigureResourceLimits()
+	err := rlimit.RemoveMemlock()
 	c.Assert(err, IsNil)
 }
 

pkg/maps/egressmap/egress_privileged_test.go

@@ -13,6 +13,8 @@ import (
 
 	. "gopkg.in/check.v1"
 
+	"github.com/cilium/ebpf/rlimit"
+
 	"github.com/cilium/cilium/pkg/bpf"
 	"github.com/cilium/cilium/pkg/ebpf"
 )
@@ -28,7 +30,7 @@ func Test(t *testing.T) {
 
 func (k *EgressMapTestSuite) SetUpSuite(c *C) {
 	bpf.CheckOrMountFS("")
-	err := bpf.ConfigureResourceLimits()
+	err := rlimit.RemoveMemlock()
 	c.Assert(err, IsNil)
 }
 

pkg/maps/eppolicymap/eppolicymap_test.go

@@ -15,6 +15,8 @@ import (
 
 	. "gopkg.in/check.v1"
 
+	"github.com/cilium/ebpf/rlimit"
+
 	"github.com/cilium/cilium/pkg/bpf"
 	"github.com/cilium/cilium/pkg/maps/lxcmap"
 	"github.com/cilium/cilium/pkg/maps/policymap"
@@ -33,7 +35,7 @@ var _ = Suite(&EPPolicyMapTestSuite{})
 func (e *EPPolicyMapTestSuite) SetUpTest(c *C) {
 	MapName = "unit_test_ep_to_policy"
 	innerMapName = "unit_test_ep_policy_inner_map"
-	err := bpf.ConfigureResourceLimits()
+	err := rlimit.RemoveMemlock()
 	c.Assert(err, IsNil)
 }
 

pkg/maps/lbmap/maglev_test.go

@@ -10,9 +10,10 @@ import (
 	"net"
 	"testing"
 
-	"golang.org/x/sys/unix"
 	. "gopkg.in/check.v1"
 
+	"github.com/cilium/ebpf/rlimit"
+
 	"github.com/cilium/cilium/pkg/loadbalancer"
 	"github.com/cilium/cilium/pkg/option"
 	"github.com/cilium/cilium/pkg/version"
@@ -25,7 +26,6 @@ func Test(t *testing.T) {
 
 type MaglevSuite struct {
 	prevMaglevTableSize int
-	oldLim              unix.Rlimit
 }
 
 var _ = Suite(&MaglevSuite{})
@@ -44,14 +44,8 @@ func (s *MaglevSuite) SetUpSuite(c *C) {
 
 	s.prevMaglevTableSize = option.Config.MaglevTableSize
 
-	tmpLim := unix.Rlimit{
-		Cur: unix.RLIM_INFINITY,
-		Max: unix.RLIM_INFINITY,
-	}
-	err = unix.Getrlimit(unix.RLIMIT_MEMLOCK, &s.oldLim)
-	c.Assert(err, IsNil)
 	// Otherwise opening the map might fail with EPERM
-	err = unix.Setrlimit(unix.RLIMIT_MEMLOCK, &tmpLim)
+	err = rlimit.RemoveMemlock()
 	c.Assert(err, IsNil)
 
 	Init(InitParams{
@@ -65,7 +59,6 @@ func (s *MaglevSuite) SetUpSuite(c *C) {
 
 func (s *MaglevSuite) TeadDownTest(c *C) {
 	option.Config.MaglevTableSize = s.prevMaglevTableSize
-	unix.Setrlimit(unix.RLIMIT_MEMLOCK, &s.oldLim)
 }
 
 func (s *MaglevSuite) TestInitMaps(c *C) {

pkg/maps/policymap/policymap_privileged_test.go

@@ -15,6 +15,8 @@ import (
 	"golang.org/x/sys/unix"
 	. "gopkg.in/check.v1"
 
+	"github.com/cilium/ebpf/rlimit"
+
 	"github.com/cilium/cilium/pkg/bpf"
 	"github.com/cilium/cilium/pkg/checker"
 	"github.com/cilium/cilium/pkg/logging"
@@ -39,7 +41,7 @@ var (
 
 func runTests(m *testing.M) (int, error) {
 	bpf.CheckOrMountFS("")
-	if err := bpf.ConfigureResourceLimits(); err != nil {
+	if err := rlimit.RemoveMemlock(); err != nil {
 		return 1, fmt.Errorf("Failed to configure rlimit")
 	}