Make default limits the same as with runc

Closes #2

PiperOrigin-RevId: 202997196

Author: fvoznika

README.md

@@ -361,10 +361,20 @@ Then restart the Docker daemon.
 
 ## FAQ & Known Issues
 
+### Will my container work with gVisor?
+
+gVisor implements a large portion of the Linux surface and while we strive to
+make it broadly compatible, there are (and always will be) unimplemented
+features and bugs. The only real way to know if it will work is to try. If you
+find a container that doesn’t work and there is no known issue, please [file a
+bug][bug] indicating the full command you used to run the image. Providing the
+debug logs is also helpful.
+
 ### What works?
 
 The following applications/images have been tested:
 
+* elasticsearch
 * golang
 * httpd
 * java8
@@ -384,33 +394,17 @@ The following applications/images have been tested:
 * tomcat
 * wordpress
 
-### What doesn't work yet?
-
-The following applications have been tested and may not yet work:
-
-* elasticsearch: Requires unimplemented socket ioctls. See [bug
-  #2](https://github.com/google/gvisor/issues/2).
-
-### Will my container work with gVisor?
+### My container runs fine with *runc* but fails with *runsc*.
 
-gVisor implements a large portion of the Linux surface and while we strive to
-make it broadly compatible, there are (and always will be) unimplemented
-features and bugs. The only real way to know if it will work is to try. If you
-find a container that doesn’t work and there is no known issue, please [file a
-bug][bug] indicating the full command you used to run the image. Providing the
-debug logs is also helpful.
+If you’re having problems running a container with `runsc` it’s most likely due
+to a compatibility issue or a missing feature in gVisor. See **Debugging**,
+above.
 
 ### When I run my container, docker fails with `flag provided but not defined: -console`
 
 You're using an old version of Docker. Refer to the
 [Requirements](#requirements) section for the minimum version supported.
 
-### My container runs fine with *runc* but fails with *runsc*.
-
-If you’re having problems running a container with `runsc` it’s most likely due
-to a compatibility issue or a missing feature in gVisor. See **Debugging**,
-above.
-
 ### I can’t see a file copied with `docker cp` or `kubectl cp`.
 
 For performance reasons, gVisor caches directory contents, and therefore it may

runsc/boot/limits.go

@@ -23,29 +23,50 @@ import (
 
 // Mapping from linux resource names to limits.LimitType.
 var fromLinuxResource = map[string]limits.LimitType{
+	"RLIMIT_AS":         limits.AS,
+	"RLIMIT_CORE":       limits.Core,
 	"RLIMIT_CPU":        limits.CPU,
-	"RLIMIT_FSIZE":      limits.FileSize,
 	"RLIMIT_DATA":       limits.Data,
-	"RLIMIT_STACK":      limits.Stack,
-	"RLIMIT_CORE":       limits.Core,
-	"RLIMIT_RSS":        limits.Rss,
-	"RLIMIT_NPROC":      limits.ProcessCount,
-	"RLIMIT_NOFILE":     limits.NumberOfFiles,
-	"RLIMIT_MEMLOCK":    limits.MemoryPagesLocked,
-	"RLIMIT_AS":         limits.AS,
+	"RLIMIT_FSIZE":      limits.FileSize,
 	"RLIMIT_LOCKS":      limits.Locks,
-	"RLIMIT_SIGPENDING": limits.SignalsPending,
+	"RLIMIT_MEMLOCK":    limits.MemoryPagesLocked,
 	"RLIMIT_MSGQUEUE":   limits.MessageQueueBytes,
 	"RLIMIT_NICE":       limits.Nice,
+	"RLIMIT_NOFILE":     limits.NumberOfFiles,
+	"RLIMIT_NPROC":      limits.ProcessCount,
+	"RLIMIT_RSS":        limits.Rss,
 	"RLIMIT_RTPRIO":     limits.RealTimePriority,
 	"RLIMIT_RTTIME":     limits.Rttime,
+	"RLIMIT_SIGPENDING": limits.SignalsPending,
+	"RLIMIT_STACK":      limits.Stack,
 }
 
 func createLimitSet(spec *specs.Spec) (*limits.LimitSet, error) {
-	ls, err := limits.NewLinuxDistroLimitSet()
+	ls, err := limits.NewLinuxLimitSet()
 	if err != nil {
 		return nil, err
 	}
+
+	// Set default limits based on what containers get by default, ex:
+	// $ docker run --rm debian prlimit
+	ls.SetUnchecked(limits.AS, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity})
+	ls.SetUnchecked(limits.Core, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity})
+	ls.SetUnchecked(limits.CPU, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity})
+	ls.SetUnchecked(limits.Data, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity})
+	ls.SetUnchecked(limits.FileSize, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity})
+	ls.SetUnchecked(limits.Locks, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity})
+	ls.SetUnchecked(limits.MemoryPagesLocked, limits.Limit{Cur: 65536, Max: 65536})
+	ls.SetUnchecked(limits.MessageQueueBytes, limits.Limit{Cur: 819200, Max: 819200})
+	ls.SetUnchecked(limits.Nice, limits.Limit{Cur: 0, Max: 0})
+	ls.SetUnchecked(limits.NumberOfFiles, limits.Limit{Cur: 1048576, Max: 1048576})
+	ls.SetUnchecked(limits.ProcessCount, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity})
+	ls.SetUnchecked(limits.Rss, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity})
+	ls.SetUnchecked(limits.RealTimePriority, limits.Limit{Cur: 0, Max: 0})
+	ls.SetUnchecked(limits.Rttime, limits.Limit{Cur: limits.Infinity, Max: limits.Infinity})
+	ls.SetUnchecked(limits.SignalsPending, limits.Limit{Cur: 0, Max: 0})
+	ls.SetUnchecked(limits.Stack, limits.Limit{Cur: 8388608, Max: limits.Infinity})
+
+	// Then apply overwrites on top of defaults.
 	for _, rl := range spec.Process.Rlimits {
 		lt, ok := fromLinuxResource[rl.Type]
 		if !ok {