Can't change default container ulimit's with arguments --ulimit nice=-19 --ulimit rtprio=99

[anriKogan]

Issue Description

I am trying to change default values of scheduling priority (-e) and real-time priority (-r) of ulimit in a podman container but unfortunately get a permission issue:
Error: crun: setrlimit RLIMIT_NICE: Operation not permitted: OCI permission denied
Error: crun: setrlimit RLIMIT_RTPRIO: Operation not permitted: OCI permission denied
My system is using cgroup v2 and I have enabled all required cgroup controllers how to be described there.
https://rootlesscontaine.rs/getting-started/common/cgroup2/

Steps to reproduce the issue

Steps to reproduce the issue:

1. podman run --name hello --privileged --cap-add all --ulimit nice=-19 --rm quay.io/podman/hello

2 .podman run --name hello --privileged --cap-add all --ulimit rtprio=99 --rm quay.io/podman/hello

Describe the results you received

1. Error: crun: setrlimit RLIMIT_NICE: Operation not permitted: OCI permission denied
2. Error: crun: setrlimit RLIMIT_RTPRIO: Operation not permitted: OCI permission denied

Describe the results you expected

if I change podman on docker engine, everything works as expected.

podman info output

$ podman info --debug
host:
  arch: amd64
  buildahVersion: 1.31.2
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon_2:2.1.10-0ubuntu22.04+obs18.23_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: '
  cpuUtilization:
    idlePercent: 99.39
    systemPercent: 0.29
    userPercent: 0.32
  cpus: 16
  databaseBackend: boltdb
  distribution:
    codename: jammy
    distribution: ubuntu
    version: "22.04"
  eventLogger: journald
  freeLocks: 2048
  hostname: myhost
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 2000000
      size: 1
    - container_id: 1
      host_id: 10000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 10001
      size: 1
    - container_id: 1
      host_id: 10000
      size: 65536
  kernel: 5.15.0-91-generic
  linkmode: dynamic
  logDriver: journald
  memFree: 30133014528
  memTotal: 33648828416
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns_1.6.0-0ubuntu22.04+obs34.25_amd64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.6.0
    package: netavark_1.3.0-0ubuntu22.04+obs22.9_amd64
    path: /usr/libexec/podman/netavark
    version: netavark 1.3.0
  ociRuntime:
    name: crun
    package: crun_101:1.14.4-0ubuntu22.04+obs70.5_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.14.4
      commit: a220ca661ce078f2c37b38c92e66cf66c012d9c1
      rundir: /run/user/10001/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    path: /run/user/10001/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.0.1-2_amd64
    version: |-
      slirp4netns version 1.0.1
      commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
      libslirp: 4.6.1
  swapFree: 17179865088
  swapTotal: 17179865088
  uptime: 3h 10m 5.00s (Approximately 0.12 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/myuser/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/myuser/.local/share/containers/storage
  graphRootAllocated: 21059293184
  graphRootUsed: 20014911488
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 3
  runRoot: /tmp/containers-user-10001/containers
  transientStore: false
  volumePath: /home/myuser/.local/share/containers/storage/volumes
version:
  APIVersion: 4.6.2
  Built: 0
  BuiltTime: Thu Jan  1 02:00:00 1970
  GitCommit: ""
  GoVersion: go1.18.1
  Os: linux
  OsArch: linux/amd64
  Version: 4.6.2

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

No

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[Luap99]

You would need to run a rootful container in order to set these limits. A rootless user can not increase limits. I am not quite sure how it works with your specific limits, but in general you can only lower limts (i.e. open files) and not increase them.

[anriKogan]

Hi @Luap99, didn't work on both of modes, I noticed that part of limits I can increase just ones, but second time I can't increase more than I set before, actually what I am looking for is to set the priority to realtime in podman container.
The code:

#include <stdio.h>
#include <unistd.h>
#include <sched.h>
#include <pthread.h>
#include <errno.h>

int main(int argc, char *argv[])
{
  printf("Setting rt prio\n");

  struct sched_param param;
  param.sched_priority=20;
  int retval = sched_setscheduler(0, SCHED_RR, &param);
  printf("Retval: %d, Errno: %d\n", retval, errno);

  return 0;
 } 

gcc -o realtime realtime.c -lpthread
./realtime

Get this:
Setting rt prio
Retval: 1, Errno: 1

I would expect this:
./realtime
Setting rt prio
Retval: 0, Errno: 0

if you have some thoughts about this, please share
Thanks

[Luap99]

I am pretty sure that you have to run as root in order to do that, so sudo podman ...

[anriKogan]

I think, I tried everything.)

[anriKogan]

@Luap99 I'd like to move it back to the issues section

[Luap99]

This is not a podman issue, the kernel permissions decide how you can set the limits, as rootless you are obviously are never allowed to increase limits.
As root it works just fine.

$ sudo podman run --name hello --ulimit nice=-19 --ulimit rtprio=99  --rm quay.io/podman/hello
!... Hello Podman World ...!
...

IF you have to chnage the limit in the cotnainer you need to give it the correct permissions

$ sudo podman run --name hello --ulimit rtprio=99 --rm alpine sh -c 'ulimit -r && ulimit -r 100 && ulimit -r' 
99
sh: error setting limit: Operation not permitted
$ sudo podman run --name hello --ulimit rtprio=99 --cap-add CAP_SYS_RESOURCE --rm alpine sh -c 'ulimit -r && ulimit -r 100 && ulimit -r' 
99
100