libct/system: ClearRlimitNofileCache for go 1.23

Go 1.23 tightens access to internal symbols, and even puts runc into
"hall of shame" for using an internal symbol (recently added by commit
da68c8e). So, while not impossible, it becomes harder to access those
internal symbols, and it is a bad idea in general.

Assuming Go 1.23 comes with https://go.dev/cl/588076, we can clean the
internal rlimit cache by setting the RLIMIT_NOFILE for ourselves,
essentially disabling the rlimit cache.

NOTE this also relies on golang.org/x/sys/unix having https://go.dev/cl/476695.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

libcontainer/init_linux.go

@@ -225,9 +225,7 @@ func containerInit(t initType, config *initConfig, pipe *syncSocket, consoleSock
 
 	// Clean the RLIMIT_NOFILE cache in go runtime.
 	// Issue: https://github.com/opencontainers/runc/issues/4195
-	if containsRlimit(config.Rlimits, unix.RLIMIT_NOFILE) {
-		system.ClearRlimitNofileCache()
-	}
+	maybeClearRlimitNofileCache(config.Rlimits)
 
 	switch t {
 	case initSetns:
@@ -655,13 +653,17 @@ func setupRoute(config *configs.Config) error {
 	return nil
 }
 
-func containsRlimit(limits []configs.Rlimit, resource int) bool {
+func maybeClearRlimitNofileCache(limits []configs.Rlimit) {
+	const res = unix.RLIMIT_NOFILE
 	for _, rlimit := range limits {
-		if rlimit.Type == resource {
-			return true
+		if rlimit.Type == res {
+			system.ClearRlimitNofileCache(&unix.Rlimit{
+				Cur: rlimit.Soft,
+				Max: rlimit.Hard,
+			})
+			return
 		}
 	}
-	return false
 }
 
 func setupRlimits(limits []configs.Rlimit, pid int) error {

libcontainer/system/linux.go

@@ -16,21 +16,6 @@ import (
 	"golang.org/x/sys/unix"
 )
 
-//go:linkname syscallOrigRlimitNofile syscall.origRlimitNofile
-var syscallOrigRlimitNofile atomic.Pointer[syscall.Rlimit]
-
-// ClearRlimitNofileCache is to clear go runtime's nofile rlimit cache.
-func ClearRlimitNofileCache() {
-	// As reported in issue #4195, the new version of go runtime(since 1.19)
-	// will cache rlimit-nofile. Before executing execve, the rlimit-nofile
-	// of the process will be restored with the cache. In runc, this will
-	// cause the rlimit-nofile setting by the parent process for the container
-	// to become invalid. It can be solved by clearing this cache. But
-	// unfortunately, go stdlib doesn't provide such function, so we need to
-	// link to the private var `origRlimitNofile` in package syscall to hack.
-	syscallOrigRlimitNofile.Store(nil)
-}
-
 type ParentDeathSignal int
 
 func (p ParentDeathSignal) Restore() error {

libcontainer/system/rlimit_linux_go122.go

@@ -0,0 +1,26 @@
+//go:build !go1.23
+
+package system
+
+import (
+	"sync/atomic"
+	"syscall"
+
+	"golang.org/x/sys/unix"
+)
+
+//go:linkname syscallOrigRlimitNofile syscall.origRlimitNofile
+var syscallOrigRlimitNofile atomic.Pointer[syscall.Rlimit]
+
+// ClearRlimitNofileCache clears go runtime's nofile rlimit cache.
+// The argument is process RLIMIT_NOFILE values.
+func ClearRlimitNofileCache(_ *unix.Rlimit) {
+	// As reported in issue #4195, the new version of go runtime(since 1.19)
+	// will cache rlimit-nofile. Before executing execve, the rlimit-nofile
+	// of the process will be restored with the cache. In runc, this will
+	// cause the rlimit-nofile setting by the parent process for the container
+	// to become invalid. It can be solved by clearing this cache. But
+	// unfortunately, go stdlib doesn't provide such function, so we need to
+	// link to the private var `origRlimitNofile` in package syscall to hack.
+	syscallOrigRlimitNofile.Store(nil)
+}

libcontainer/system/rlimit_linux_go123.go

@@ -0,0 +1,18 @@
+//go:build go1.23
+
+package system
+
+import (
+	"sync/atomic"
+	"syscall"
+
+	"golang.org/x/sys/unix"
+)
+
+// CleanRlimitNofileCache sets RLIMIT_NOFILE for the current process. This is
+// not needed per se, but rather to clean the origRlimitNofile cache in Go.
+//
+// The implementation relies on go.dev/cl/588076.
+func ClearRlimitNofileCache(lim *unix.Rlimit) {
+	_ = syscall.Setrlimit(syscall.RLIMIT_NOFILE, lim)
+}