Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[docker] Add default nofiles ulimits for containers #1119

Merged
merged 1 commit into from Sep 15, 2020
Merged

[docker] Add default nofiles ulimits for containers #1119

merged 1 commit into from Sep 15, 2020

Conversation

jamieand
Copy link
Contributor

Issue number:
#1115

Description of changes:

This change adds --default-ulimit to dockerd's options to set default nofiles limits for containers. The values match what are currently used by the Amazon Linux and ECS AMIs.

Testing done:

Tested using the aws-dev variant

Without this change:

bash-5.0# time docker run amazonlinux:2 yum install -y tmux
Unable to find image 'amazonlinux:2' locally

...

Installed:
  tmux.x86_64 0:1.8-4.amzn2.0.1                                                 

  Dependency Installed:
    libevent.x86_64 0:2.0.21-4.amzn2.0.3                                          

    Complete!

    real    15m28.011s
    user    0m0.086s
    sys     0m0.034s

Now with the change:

bash-5.0# time docker run amazonlinux:2 yum install -y tmux
Unable to find image 'amazonlinux:2' locally

...

Installed:
  tmux.x86_64 0:1.8-4.amzn2.0.1

  Dependency Installed:
    libevent.x86_64 0:2.0.21-4.amzn2.0.3

    Complete!

    real    0m11.137s
    user    0m0.034s
    sys     0m0.039s

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@jamieand
Copy link
Contributor Author

Move new settings to daemon.json. Re-ran the yum install test and verified it still completes in less than 15 seconds, as expected.

@samuelkarp
Copy link
Contributor

Can we test that the ulimit can be overridden with the ulimits field of the task definition? (I can run this test if you want help.)

@jamieand
Copy link
Contributor Author

I built an aws-ecs-1 variant image and tested with 3 different task definitions (thanks @samuelkarp for providing an example to get me started).

First:

❯ cat default_ulimit.json 
{
    "family": "ulimit-test",
    "containerDefinitions": [
        {
            "name": "ulimitDefault",
            "image": "amazonlinux:2",
            "cpu": 0,
            "memory": 512,
            "essential": true,
            "entryPoint": [
                "sh", "-c"
            ],
            "command": [
                "time yum install -y tmux"
            ]
        }
    ]
}

bash-5.0# docker logs 477a74fe64b0

...

  tmux.x86_64 0:1.8-4.amzn2.0.1                                                 
Dependency Installed:
  libevent.x86_64 0:2.0.21-4.amzn2.0.3                                          
Complete!
real    0m2.661s
user    0m1.896s
sys     0m0.344s

Next:

❯ cat high_ulimit.json
{
    "family": "ulimit-test",
    "containerDefinitions": [
        {
            "name": "ulimitHigh",
            "image": "amazonlinux:2",
            "cpu": 0,
            "memory": 512,
            "essential": true,
            "entryPoint": [
                "sh", "-c"
            ],
            "command": [
                "time yum install -y tmux"
            ],
            "ulimits": [
                {
                    "name": "nofile",
                    "softLimit": 8192,
                    "hardLimit": 1073741816
                }
            ]
        }
    ]
}

bash-5.0# docker logs f7522d1f7eaf

...

Installed:
  tmux.x86_64 0:1.8-4.amzn2.0.1                                                 
Dependency Installed:
  libevent.x86_64 0:2.0.21-4.amzn2.0.3                                          
Complete!
real    0m2.607s
user    0m1.850s
sys     0m0.393s

docker inspect shows the ulimits from the task definition were applied:

            "Ulimits": [
                {
                    "Name": "nofile",
                    "Hard": 1073741816,
                    "Soft": 8192
                }

FInally:

❯ cat really_high_ulimit.json 
{
    "family": "ulimit-test",
    "containerDefinitions": [
        {
            "name": "ulimitReallyHigh",
            "image": "amazonlinux:2",
            "cpu": 0,
            "memory": 512,
            "essential": true,
            "entryPoint": [
                "sh", "-c"
            ],
            "command": [
                "time yum install -y tmux"
            ],
            "ulimits": [
                {
                    "name": "nofile",
                    "softLimit": 1073741816,
                    "hardLimit": 1073741816
                }
            ]
        }
    ]
}

bash-5.0# docker logs 9ae1ece69e2a

...

Installed:
  tmux.x86_64 0:1.8-4.amzn2.0.1                                                 
Dependency Installed:
  libevent.x86_64 0:2.0.21-4.amzn2.0.3                                          
Complete!
real    15m47.677s
user    7m32.043s
sys     8m15.245s

This is consistent with the pre-change behavior, which is expected with such a high soft limit.

samuelkarp
samuelkarp approved these changes Sep 15, 2020
View reviewed changes
Copy link
Contributor

@samuelkarp samuelkarp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Jamie!

@jamieand jamieand merged commit 3289c5e into bottlerocket-os:develop Sep 15, 2020
@jamieand jamieand deleted the docker-default-ulimit branch September 15, 2020 20:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tjkirch tjkirch tjkirch approved these changes

@samuelkarp samuelkarp samuelkarp approved these changes

@bcressey bcressey Awaiting requested review from bcressey

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jamieand @samuelkarp @tjkirch