Add ulimits to podman update

Author: aaron-ang

cmd/podman/common/create.go

@@ -440,14 +440,6 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		)
 		_ = cmd.RegisterFlagCompletionFunc(umaskFlagName, completion.AutocompleteNone)
 
-		ulimitFlagName := "ulimit"
-		createFlags.StringSliceVar(
-			&cf.Ulimit,
-			ulimitFlagName, cf.Ulimit,
-			"Ulimit options",
-		)
-		_ = cmd.RegisterFlagCompletionFunc(ulimitFlagName, completion.AutocompleteNone)
-
 		userFlagName := "user"
 		createFlags.StringVarP(
 			&cf.User,
@@ -559,6 +551,14 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		)
 		_ = cmd.RegisterFlagCompletionFunc(unsetenvFlagName, completion.AutocompleteNone)
 
+		ulimitFlagName := "ulimit"
+		createFlags.StringSliceVar(
+			&cf.Ulimit,
+			ulimitFlagName, cf.Ulimit,
+			"Ulimit options",
+		)
+		_ = cmd.RegisterFlagCompletionFunc(ulimitFlagName, completion.AutocompleteNone)
+
 		healthCmdFlagName := "health-cmd"
 		createFlags.StringVar(
 			&cf.HealthCmd,

cmd/podman/containers/update.go

@@ -190,6 +190,18 @@ func update(cmd *cobra.Command, args []string) error {
 		opts.UnsetEnv = env
 	}
 
+	if cmd.Flags().Changed("ulimit") {
+		ulimits, err := cmd.Flags().GetStringSlice("ulimit")
+		if err != nil {
+			return err
+		}
+		rlimits, err := specgenutil.GenRlimits(ulimits)
+		if err != nil {
+			return err
+		}
+		opts.Rlimits = rlimits
+	}
+
 	rep, err := registry.ContainerEngine().ContainerUpdate(context.Background(), opts)
 	if err != nil {
 		return err

docs/source/markdown/options/ulimit.md

@@ -1,5 +1,5 @@
 ####> This option file is used in:
-####>   podman create, run
+####>   podman create, run, update
 ####> If file is edited, make sure the changes
 ####> are applicable to all of those.
 #### **--ulimit**=*option*

docs/source/markdown/podman-update.1.md.in

@@ -94,6 +94,10 @@ Changing this setting resets the timer, depending on the state of the container.
 
 @@option restart
 
+@@option ulimit
+
+Note: This limit only takes effect on the next container restart.
+
 @@option unsetenv.update
 
 
@@ -109,6 +113,11 @@ Update the latest container with a new cpu value:
 podman update --latest --cpus=1
 ```
 
+Update a container's ulimit:
+```
+podman update --ulimit nofile=1024:1024 ctrID
+```
+
 Update a container with multiple options at ones:
 ```
 podman update --cpus 5 --cpuset-cpus 0 --cpu-shares 123 --cpuset-mems 0 \\

libpod/container_internal.go

@@ -2810,6 +2810,7 @@ func (c *Container) update(updateOptions *entities.ContainerUpdateOptions) error
 	}
 	oldRestart := c.config.RestartPolicy
 	oldRetries := c.config.RestartRetries
+	oldRlimits := c.config.Spec.Process.Rlimits
 
 	if updateOptions.RestartPolicy != nil {
 		if err := define.ValidateRestartPolicy(*updateOptions.RestartPolicy); err != nil {
@@ -2857,16 +2858,21 @@ func (c *Container) update(updateOptions *entities.ContainerUpdateOptions) error
 		c.config.Spec.Process.Env = envLib.Slice(envMap)
 	}
 
+	if updateOptions.Rlimits != nil {
+		c.config.Spec.Process.Rlimits = updateOptions.Rlimits
+	}
+
 	if err := c.runtime.state.SafeRewriteContainerConfig(c, "", "", c.config); err != nil {
 		// Assume DB write failed, revert to old resources block
 		c.config.Spec.Linux.Resources = oldResources
 		c.config.RestartPolicy = oldRestart
 		c.config.RestartRetries = oldRetries
+		c.config.Spec.Process.Rlimits = oldRlimits
 		return err
 	}
 
 	if c.ensureState(define.ContainerStateCreated, define.ContainerStateRunning, define.ContainerStatePaused) &&
-		(updateOptions.Resources != nil || updateOptions.Env != nil || updateOptions.UnsetEnv != nil) {
+		(updateOptions.Resources != nil || updateOptions.Env != nil || updateOptions.UnsetEnv != nil || updateOptions.Rlimits != nil) {
 		// So `podman inspect` on running containers sources its OCI spec from disk.
 		// To keep inspect accurate we need to update the on-disk OCI spec.
 		onDiskSpec, err := c.specFromState()
@@ -2882,13 +2888,24 @@ func (c *Container) update(updateOptions *entities.ContainerUpdateOptions) error
 		if len(updateOptions.Env) != 0 || len(updateOptions.UnsetEnv) != 0 {
 			onDiskSpec.Process.Env = c.config.Spec.Process.Env
 		}
+		if updateOptions.Rlimits != nil {
+			onDiskSpec.Process.Rlimits = updateOptions.Rlimits
+		}
 		if err := c.saveSpec(onDiskSpec); err != nil {
 			logrus.Errorf("Unable to update container %s OCI spec - `podman inspect` may not be accurate until container is restarted: %v", c.ID(), err)
 		}
 
 		if err := c.ociRuntime.UpdateContainer(c, updateOptions.Resources); err != nil {
 			return err
 		}
+
+		// Apply rlimits to running container processes using prlimit
+		if updateOptions.Rlimits != nil {
+			if err := c.applyRlimitsToRunningContainer(updateOptions.Rlimits); err != nil {
+				logrus.Errorf("Failed to apply rlimits to running container %s: %v", c.ID(), err)
+				// Don't return error here as the rlimits are saved to config and will take effect on restart
+			}
+		}
 	}
 
 	logrus.Debugf("updated container %s", c.ID())

libpod/container_internal_linux_rlimit.go

@@ -0,0 +1,121 @@
+//go:build linux
+
+package libpod
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"github.com/containers/podman/v5/libpod/define"
+	spec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+// applyRlimitsToRunningContainer applies rlimits to all processes in the container's cgroup
+// using the prlimit syscall. This is Linux-specific functionality.
+func (c *Container) applyRlimitsToRunningContainer(rlimits []spec.POSIXRlimit) error {
+	// Only apply to running containers
+	if !c.ensureState(define.ContainerStateRunning, define.ContainerStatePaused) {
+		return nil
+	}
+
+	// Get the container's cgroup path
+	cgroupPath, err := c.cGroupPath()
+	if err != nil {
+		return fmt.Errorf("getting cgroup path for container %s: %w", c.ID(), err)
+	}
+
+	// Read all PIDs from the cgroup.procs file
+	pids, err := c.getAllPIDsFromCgroup(cgroupPath)
+	if err != nil {
+		return fmt.Errorf("getting PIDs from cgroup %s: %w", cgroupPath, err)
+	}
+
+	// Map rlimit type strings to syscall resource numbers
+	rlimitMap := map[string]int{
+		"as":     syscall.RLIMIT_AS,
+		"core":   syscall.RLIMIT_CORE,
+		"cpu":    syscall.RLIMIT_CPU,
+		"data":   syscall.RLIMIT_DATA,
+		"fsize":  syscall.RLIMIT_FSIZE,
+		"nofile": syscall.RLIMIT_NOFILE,
+		"stack":  syscall.RLIMIT_STACK,
+		"nproc":  6, // RLIMIT_NPROC = 6 on Linux (not available in syscall package on all platforms)
+	}
+
+	// Apply each rlimit to each PID
+	for _, rlimit := range rlimits {
+		resource, exists := rlimitMap[rlimit.Type]
+		if !exists {
+			logrus.Warnf("Unknown rlimit type %s, skipping", rlimit.Type)
+			continue
+		}
+
+		// Create the new rlimit structure
+		newLimit := &syscall.Rlimit{
+			Cur: rlimit.Soft,
+			Max: rlimit.Hard,
+		}
+
+		// Apply to all PIDs in the container
+		for _, pid := range pids {
+			err := c.applyRlimitToPID(pid, resource, newLimit)
+			if err != nil {
+				// ESRCH means the process has exited, which is fine
+				if err == unix.ESRCH {
+					logrus.Debugf("Process %d has exited, skipping rlimit application", pid)
+					continue
+				}
+				// For other errors, log but continue with other processes
+				logrus.Warnf("Failed to apply rlimit %s to PID %d: %v", rlimit.Type, pid, err)
+			}
+		}
+	}
+
+	return nil
+}
+
+// applyRlimitToPID applies a single rlimit to a single PID using the prlimit syscall.
+// This is Linux-specific functionality.
+func (c *Container) applyRlimitToPID(pid, resource int, newLimit *syscall.Rlimit) error {
+	// Convert syscall.Rlimit to unix.Rlimit
+	unixLimit := &unix.Rlimit{
+		Cur: newLimit.Cur,
+		Max: newLimit.Max,
+	}
+	// Use the unix package's Prlimit function
+	// Note: This function is only available on Linux
+	return unix.Prlimit(pid, resource, unixLimit, nil)
+}
+
+// getAllPIDsFromCgroup reads all PIDs from a cgroup's cgroup.procs file.
+// This is Linux-specific functionality.
+func (c *Container) getAllPIDsFromCgroup(cgroupPath string) ([]int, error) {
+	procsFile := filepath.Join(cgroupPath, "cgroup.procs")
+	data, err := os.ReadFile(procsFile)
+	if err != nil {
+		return nil, err
+	}
+
+	var pids []int
+	lines := strings.Split(string(data), "\n")
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if line == "" {
+			continue
+		}
+		pid, err := strconv.Atoi(line)
+		if err != nil {
+			logrus.Warnf("Invalid PID in cgroup.procs: %s", line)
+			continue
+		}
+		pids = append(pids, pid)
+	}
+
+	return pids, nil
+}

pkg/api/handlers/compat/containers.go

@@ -822,11 +822,25 @@ func UpdateContainer(w http.ResponseWriter, r *http.Request) {
 		restartRetries = &localRetries
 	}
 
+	// Rlimits
+	var rlimits []spec.POSIXRlimit
+	if len(options.Ulimits) > 0 {
+		for _, ulimit := range options.Ulimits {
+			rlimit := spec.POSIXRlimit{
+				Type: ulimit.Name,
+				Hard: uint64(ulimit.Hard),
+				Soft: uint64(ulimit.Soft),
+			}
+			rlimits = append(rlimits, rlimit)
+		}
+	}
+
 	updateOptions := &entities.ContainerUpdateOptions{
 		Resources:                       resources,
 		ChangedHealthCheckConfiguration: &define.UpdateHealthCheckConfig{},
 		RestartPolicy:                   restartPolicy,
 		RestartRetries:                  restartRetries,
+		Rlimits:                         rlimits,
 	}
 
 	if err := ctr.Update(updateOptions); err != nil {

pkg/api/handlers/libpod/containers.go

@@ -462,6 +462,7 @@ func UpdateContainer(w http.ResponseWriter, r *http.Request) {
 		RestartRetries:                  restartRetries,
 		Env:                             options.Env,
 		UnsetEnv:                        options.UnsetEnv,
+		Rlimits:                         options.Rlimits,
 	}
 
 	err = ctr.Update(updateOptions)

pkg/api/handlers/types.go

@@ -81,6 +81,7 @@ type UpdateEntities struct {
 	define.UpdateContainerDevicesLimits
 	Env      []string
 	UnsetEnv []string
+	Rlimits  []specs.POSIXRlimit
 }
 
 type Info struct {

pkg/bindings/containers/update.go

@@ -40,6 +40,9 @@ func Update(ctx context.Context, options *types.ContainerUpdateOptions) (string,
 	if options.DevicesLimits != nil {
 		updateEntities.UpdateContainerDevicesLimits = *options.DevicesLimits
 	}
+	if options.Rlimits != nil {
+		updateEntities.Rlimits = options.Rlimits
+	}
 
 	requestData, err := jsoniter.MarshalToString(updateEntities)
 	if err != nil {