[release-1.21] Partially work around containers/common

 ... setting RLIMIT_NPROC wrong

The version of containers/common we're currently using on this branch included a
bug which was later fixed by containers/common#2199.
If we get an update on its v0.60 branch which includes that fix, we can
drop this patch from this branch, but until then, work around the part
that breaks our tests.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>

Author: nalind

run_linux.go

@@ -167,6 +167,24 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 	spec := g.Config
 	g = nil
 
+	// Override a buggy resource limit default that containers/common could supply before
+	// https://github.com/containers/common/pull/2199 fixed it.
+	if kernelPidMaxBytes, err := os.ReadFile("/proc/sys/kernel/pid_max"); err == nil {
+		kernelPidMaxString := strings.TrimSpace(string(kernelPidMaxBytes))
+		if kernelPidMaxValue, err := strconv.ParseUint(kernelPidMaxString, 10, 64); err == nil {
+			const rlimitDefaultValue = 1024 * 1024
+			var filteredLimits []specs.POSIXRlimit
+			for _, rlimit := range spec.Process.Rlimits {
+				if rlimit.Type == "RLIMIT_NPROC" && rlimit.Soft == kernelPidMaxValue && rlimit.Hard == kernelPidMaxValue {
+					rlimit.Soft, rlimit.Hard = rlimitDefaultValue, rlimitDefaultValue
+					logrus.Debugf("overrode RLIMIT_NPROC set to kernel system-wide process limit with %d", rlimitDefaultValue)
+				}
+				filteredLimits = append(filteredLimits, rlimit)
+			}
+			spec.Process.Rlimits = filteredLimits
+		}
+	}
+
 	// Set the seccomp configuration using the specified profile name.  Some syscalls are
 	// allowed if certain capabilities are to be granted (example: CAP_SYS_CHROOT and chroot),
 	// so we sorted out the capabilities lists first.