Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

systemd's service unit should set LimitNOFILE to 1048576 like docker does #3201

Closed
zaa opened this issue Apr 10, 2019 · 3 comments
Closed

systemd's service unit should set LimitNOFILE to 1048576 like docker does #3201

zaa opened this issue Apr 10, 2019 · 3 comments

Comments

@zaa
Copy link

zaa commented Apr 10, 2019

Description

I've just checked the limit on the max number of opened files for the containerd process on recent version of Container Optimized OS and saw that the process has the limit set to 65536.
I believe it should be set to 1048576 like docker does right now: moby/moby@428d733

Steps to reproduce the issue:

$ cat /usr/lib/systemd/system/containerd.service | grep LimitNOFILE
LimitNOFILE=infinity
$ systemctl show containerd | grep LimitNOFILE
LimitNOFILE=18446744073709551615
$ cat /proc/$(pgrep containerd | head -1)/limits | grep files
Max open files            65536                65536                files

Describe the results you expected:

$ cat /proc/$(pgrep containerd | head -1)/limits | grep files
Max open files            1048576              1048576              files

Output of containerd --version:

containerd github.com/containerd/containerd 1.2.5 bb71b10fd8f58240ca47fbb579b9d1028eea7c84
@zaa
Copy link
Author

zaa commented Apr 10, 2019

I've solved the issue locally by creating a service override for now:

$ cat /etc/systemd/system/containerd.service.d/override.conf
[Service]
LimitNOFILE=1048576
$ systemctl daemon-reload
$ cat /proc/$(pgrep containerd | head -1)/limits | grep files
Max open files            1048576              1048576              files

@crosbymichael
Copy link
Member

Does infinity not work anymore?

crosbymichael added a commit to crosbymichael/containerd that referenced this issue Apr 10, 2019
@crosbymichael
Set nofile to 1048576
1a1f8f1 
Closes containerd#3201

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
@crosbymichael crosbymichael mentioned this issue Apr 10, 2019
Merged
@zaa
Copy link
Author

zaa commented Apr 10, 2019

Looks like nope, it does not. moby/moby@428d733 references https://stackoverflow.com/questions/1212925/on-linux-set-maximum-open-files-to-unlimited-possible/1213069#1213069 which has more info.

kiwik pushed a commit to theopenlab/containerd that referenced this issue Apr 23, 2019
@Yikun @kiwik
Upstream sync (#2)
b6bc817 
* Add tcp service for grpc listeners

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

* Set nofile to 1048576

Closes containerd#3201

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

* Fix API forward events for shims

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

* Add support for required plugins.

Signed-off-by: Lantao Liu <lantaol@google.com>

* Use $TEST_RUNTIME for cri test.

Signed-off-by: Lantao Liu <lantaol@google.com>

* Improve shim shutdown logic

Shims no longer call `os.Exit` but close the context on shutdown so that
events and other resources have hit the `defer`s.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

* Add dialer for events service

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

* Rename `hrpc` to `tcpServer`

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

* Check task list to avoid unnecessary cleanup.

Signed-off-by: Lantao Liu <lantaol@google.com>

* Correct import path in services/server package

Signed-off-by: Jared Cordasco <jcordasc@coglib.com>

* Correct PusherFunc helper to match Pusher intf

Signed-off-by: Jared Cordasco <jcordasc@coglib.com>

* Requeue events in the shim publisher

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

* bump mistifyio/go-zfs f784269be439d704d3dfa1906f45dd848fed2beb

- mistifyio/go-zfs#72 Switch to google/uuid
  - removes the github.com/pborman/uuid dependency

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

* Update go-winio in vendor.conf

Signed-off-by: Kevin Parsons <kevpar@microsoft.com>

* Allow dumping stacks via ETW capture state

Signed-off-by: Kevin Parsons <kevpar@microsoft.com>

* Access to client's GRPC connection object

Signed-off-by: Maksym Pavlenko <makpav@amazon.com>

* .mailmap: update Akihiro Suda's email address

No affiliation change (NTT).

The former email address will continue to be available for the time being.

For daily communication, I still prefer to use my gmail.com address.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

* Move to sha-specified test image for nanoserver

Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

* Fix error on pull hang in CI

Kill the underlying containerd after outputting error. Otherwise CI
hangs indefinitely and requires the CI infrastructure to kill the build
at the timeout expiration.

Signed-off-by: Wei Fu <fuweid89@gmail.com>
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

* Write stack dump to `os.TempDir()` as well

Signed-off-by: John Howard <jhoward@microsoft.com>

* bump gocapability

full diff: syndtr/gocapability@db04d3c...d983527

changes included:

  - syndtr/gocapability#14 capability: Deprecate NewPid and NewFile for NewPid2 and NewFile2
  - syndtr/gocapability#16 Fix capHeader.pid type

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

* Update x/crypto to 88737f569e3a9c7ab309cdc09a07fe7fc87233c3

full diff: golang/crypto@4979611...88737f5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

* bump containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

* Convert Windows CI to use Microsoft MCR image urls

Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>

* Don't write dumped stacks to file for ETW capture state

Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
@jbarrick-mesosphere jbarrick-mesosphere mentioned this issue Aug 7, 2019
Merged
NicolasT added a commit to scality/metalk8s that referenced this issue Sep 25, 2019
@NicolasT
containerd: set LimitNOFILE on the service
37c327c 
The default 'open files' limit, 1024, is way too low for some of our
applications. Since there's no way to bump this limit from within a
container, and the artificial limit of 1024 file descriptors stems from
an era where FDs were costly, bump the limit to a more reasonable (in
2019) default.

Fixes: #1785
See: #1785
See: containerd/containerd#3201
See: containerd/containerd#3202
@NicolasT NicolasT mentioned this issue Sep 25, 2019
Merged
NicolasT added a commit to scality/metalk8s that referenced this issue Sep 25, 2019
@NicolasT
containerd: set LimitNOFILE on the service
63d6009 
The default 'open files' limit, 1024, is way too low for some of our
applications. Since there's no way to bump this limit from within a
container, and the artificial limit of 1024 file descriptors stems from
an era where FDs were costly, bump the limit to a more reasonable (in
2019) default.

Manual test:

```
[root@bootstrap ~]# kubectl taint node bootstrap node-role.kubernetes.io/bootstrap-
node/bootstrap untainted
[root@bootstrap ~]# kubectl taint node bootstrap node-role.kubernetes.io/infra-
node/bootstrap untainted
[root@bootstrap ~]# kubectl run --restart=Never --image=busybox shell -- sleep 9999
pod/shell created
[root@bootstrap ~]# kubectl exec -ti shell -- sh -c 'ulimit -n'
1048576
```

Fixes: #1785
See: #1785
See: containerd/containerd#3201
See: containerd/containerd#3202
NicolasT added a commit to scality/metalk8s that referenced this issue Sep 26, 2019
@NicolasT
containerd: set LimitNOFILE on the service
9e8c0cf 
The default 'open files' limit, 1024, is way too low for some of our
applications. Since there's no way to bump this limit from within a
container, and the artificial limit of 1024 file descriptors stems from
an era where FDs were costly, bump the limit to a more reasonable (in
2019) default.

Manual test:

```
[root@bootstrap ~]# kubectl taint node bootstrap node-role.kubernetes.io/bootstrap-
node/bootstrap untainted
[root@bootstrap ~]# kubectl taint node bootstrap node-role.kubernetes.io/infra-
node/bootstrap untainted
[root@bootstrap ~]# kubectl run --restart=Never --image=busybox shell -- sleep 9999
pod/shell created
[root@bootstrap ~]# kubectl exec -ti shell -- sh -c 'ulimit -n'
1048576
```

Fixes: #1785
See: #1785
See: containerd/containerd#3201
See: containerd/containerd#3202
@onedr0p onedr0p mentioned this issue Sep 21, 2020
Merged
@zlangbert zlangbert mentioned this issue Sep 30, 2020
Closed
@AlexAtkinson AlexAtkinson mentioned this issue Jun 7, 2022
Open
@ilyam8 ilyam8 mentioned this issue Jul 31, 2022
Closed
@rayburgemeestre rayburgemeestre mentioned this issue Oct 20, 2022
Closed
@fitbeard fitbeard mentioned this issue Mar 23, 2023
Merged
@wcgcoder wcgcoder mentioned this issue Jul 31, 2023
Closed
@maximfox maximfox mentioned this issue Sep 20, 2023
Closed
curtishall added a commit to bluecherrydvr/bluecherry-docker that referenced this issue Nov 22, 2023
@curtishall
Update install.sh
a780173 
For all RHEL releases run this:
```
  sed -i 's/^LimitNOFILE=infinity$/LimitNOFILE=1048576/'  /usr/lib/systemd/system/docker.service
  sed -i 's/^LimitNOFILE=infinity$/LimitNOFILE=1048576/'  /usr/lib/systemd/system/containerd.service
```
containerd/containerd#3201
@dims dims mentioned this issue Feb 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zaa @crosbymichael