[systemd-devel] pid 1 memlock setting configurable?

Lennart Poettering lennart at poettering.net
Thu May 23 07:49:19 UTC 2019


On Do, 23.05.19 07:32, Kees Bos (cornelis.bos at gmail.com) wrote:

> Hi all,
>
> I couldn't find it with google, and before digging in the code just a
> quick question. Probably someone knows it in the top of h(is|er)
> head...
>
> It seems that systemd drops rlimit_memlock on startup. Correct? And if
> so, is it configurable?

No. It actually raises it to 64M if it can:

https://github.com/systemd/systemd/blob/master/src/core/main.c#L1380

Before doing so it will save the original setting though and that's
what it tries to pass to services invoked as default too. Thus,
RLIMIT_MEMLOCK should really just be bumped for PID 1 itself, and only
if privileges allow.

> Explanation for the question:
> In an unprivileged container I can set the memlock config lower than
> 16MB (16777216 bytes), but not higher. That is, i can configure it, but
> effectively the systemd process (pid 1) will never have a limit higher
> than 16MB. Since it's an unprivileged container (and thus a fake 'root'
> user), that limit also becomes the max for all spawned processes
> (including services).

I am not sure how precisely rlimits are affected by userns, but I'd
guess you can't set rlimits higher in it than what they are set in the
lowest process outside of the userns, but I don't really know...

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list