-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add --max-fd argument to uwsgi to stop it from getting OOMKilled in Kubernetes #9564
Conversation
Contextual Security AnalysisAs DryRun Security performs checks, we’ll summarize them here. You can always dive into the detailed results in the section below for checks.
Chat with your AI-powered Security Buddy by typing Install and configure more repositories at DryRun Security |
Please create PR against dev or bugfix |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🔴 Risk threshold exceeded. Adding a reviewer if one is configured in notification list: @mtesauro @grendel513 Tip Get answers to your security questions. Add a comment in this PR starting with @DryRunSecurity. For example...
Powered by DryRun Security |
@hoeg thanks for updating your commits. It think this will work! There is not a some extra changes unrelated to your file descriptor changes that should not be here. Once those are removed, I think this will be good to go :) |
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
Conflicts have been resolved. A maintainer will review the pull request shortly. |
Closing this PR as the parent issue was addressed by changing the k8s config rather then a code change on the DD side. |
I am trying to pick this is this issue up from my colleague @hoeg. The described solution in k8s does not resolve the issue for us. We do not have any resource limits and requesting 4096Mi of memory. The pod is still OOMKilled. However, using the suggested solution in this PR solves the problem. |
Description
This PR fixes the issue described in issue #9562 regarding uWSGI that under some circumstances will take up an unnecessary amount of resources on a kubernetes node leading to the pod getting OOMKilled.
We introduce the possibility to set the
--max-fd
argument when starting up uWSGI to mitigate this issue.Test results
I have tested the fix on a kubernetes cluster where it prevented the pod from getting OOMKilled. For more information see #9562.
Documentation
It is not clear to me where the documentation should be updated.