diff options
author | Chirantan Ekbote <chirantan@chromium.org> | 2019-11-27 17:38:54 +0900 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2019-11-28 03:05:57 +0000 |
commit | 1a5fe95471e4d75ce31eb8884becdedb52376451 (patch) | |
tree | 4c9763b6fc0c308f898bc0f9143f9f10fd7df48d /src/linux.rs | |
parent | 4cc280bcff161e08a44c83fbd5384e324b8c3585 (diff) | |
download | crosvm-1a5fe95471e4d75ce31eb8884becdedb52376451.tar crosvm-1a5fe95471e4d75ce31eb8884becdedb52376451.tar.gz crosvm-1a5fe95471e4d75ce31eb8884becdedb52376451.tar.bz2 crosvm-1a5fe95471e4d75ce31eb8884becdedb52376451.tar.lz crosvm-1a5fe95471e4d75ce31eb8884becdedb52376451.tar.xz crosvm-1a5fe95471e4d75ce31eb8884becdedb52376451.tar.zst crosvm-1a5fe95471e4d75ce31eb8884becdedb52376451.zip |
linux.rs: Set open file limits for all devices
The virtio-fs device opens a lot of fds and needs to have a pretty high open file limit. In order for this to be successful on Chrome OS, the parent process (concierge) also needs to have a very high open file limit. This unfortunately has the side-effect of raising the open file limit for _all_ crosvm devices. Deal with this by setting the open file limit back down to a reasonable value (1024) for all devices that use `create_base_minijail`. This was the value of the open file limit for concierge before the increase. BUG=b:142344095 TEST=Check /proc/<pid>/limits for various crosvm device processes and see that they have the proper value for "Max open files". Change-Id: I87e3fe62fe22e68bff5ba5b60d85d39060a111dd Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1939527 Tested-by: Chirantan Ekbote <chirantan@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Auto-Submit: Chirantan Ekbote <chirantan@chromium.org> Commit-Queue: Nicolas Boichat <drinkcat@chromium.org> Reviewed-by: Daniel Verkamp <dverkamp@chromium.org> Reviewed-by: Stephen Barber <smbarber@chromium.org>
Diffstat (limited to 'src/linux.rs')
-rw-r--r-- | src/linux.rs | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/linux.rs b/src/linux.rs index c0344b1..a3df995 100644 --- a/src/linux.rs +++ b/src/linux.rs @@ -314,6 +314,9 @@ fn create_base_minijail( j.enter_pivot_root(root).map_err(Error::DevicePivotRoot)?; // Run in an empty network namespace. j.namespace_net(); + // Most devices don't need to open many fds. + j.set_rlimit(libc::RLIMIT_NOFILE, 1024, 1024) + .map_err(Error::SettingMaxOpenFiles)?; // Apply the block device seccomp policy. j.no_new_privs(); // Use TSYNC only for the side effect of it using SECCOMP_RET_TRAP, which will correctly kill |