fix: set rlimit explicitly in wrapperd

Now Go only sets the rlimit for the parent and any fork/exec'ed process gets the rlimit that was the default before fork/exec. Ref: golang/go#46279 This fix got backported to [Go 1.20.4](golang/go@ecf7e00) breaking Talos. Talos used to set rlimit in the [`SetRLimit`](https://github.com/siderolabs/talos/blob/v1.4.2/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go#L302) sequencer task. This means any process started by `wrapperd` gets the default Rlimit (1024). Fix this by explicitly setting `rlimit` in `wrapperd` before we drop any capabilities. Fixes: #7198 Signed-off-by: Noel Georgi <git@frezbo.dev>
siderolabs · May 9, 2023 · a2565f6 · a2565f6
1 parent cdfc242
commit a2565f6
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/internal/app/wrapperd/main.go b/internal/app/wrapperd/main.go
@@ -50,6 +50,13 @@ func Main() {
 		}
 	}
 
+	// set the rlimit for the process before we drop privileges
+	// TODO: frezbo: see if we need to drop Rlimit from the boot sequence, the only downside maybe that some very early process might
+	// not have the higher rlimit set, but it seems we always use the wrapper to start processes.
+	if err := unix.Setrlimit(unix.RLIMIT_NOFILE, &unix.Rlimit{Max: 1048576, Cur: 1048576}); err != nil {
+		log.Fatalf("failed to set rlimit: %v", err)
+	}
+
 	// load the cgroup and put the process into the cgroup
 	if cgroupPath != "" {
 		if cgroups.Mode() == cgroups.Unified {