search

hashicorp / nomad-driver-podman

A nomad task driver plugin for sandboxing workloads in podman containers
https://developer.hashicorp.com/nomad/plugins/drivers/podman
Mozilla Public License 2.0
224 stars 61 forks source link

Ulimits are uint64 but can be negative #341

Open optiz0r opened 1 month ago

optiz0r commented 1 month ago

https://github.com/hashicorp/nomad-driver-podman/blob/main/api/structs.go#L675 defines the soft and hard values for ulimits as uint64

Podman allows a container to be launched with -1 as a valid ulimit value, which means to use the user's maximum permitted value for the setting (https://docs.podman.io/en/stable/markdown/podman-run.1.html#ulimit-option)

A job spec which uses this might contain:

task "memcached" {
  driver = "podman"
  image = "memcached:latest"
  config {
    ulimit {
      memlock = "-1:-1"
    }
    args = ["--lock-memory"]
  }
}

This results in an allocation failing to start up with an error message like:

Driver Failure
rpc error: code = Unknown desc = failed to start task, could not inspect container : json: cannot unmarshal number -1 into Go struct field InspectUlimit.HostConfig.Ulimits.Soft of type uint64

Edit: The same thing works in the docker driver without error. Quickly scanning the docker driver code, I can't see that ulimit values there are handled as anything other than strings, but I might have missed something.