Sandbox config - rlimit

[aaronchar]

I am currently in the midst of configuring a cluster with cri-contianerd and I am struggling with the default rlimits that are passed down.

 "rlimits": [
          {
            "type": "RLIMIT_NOFILE",
            "hard": 1024,
            "soft": 1024
          }
     ],

I am wondering if there is a method to configure the rlimits.

Thanks

[Random-Liu]

@DefunctExodus Thanks for reporting this issue!

I think the problem is that:

• Docker default OCI spec doesn't have rlimit: https://github.com/moby/moby/blob/master/oci/defaults.go#L57.
• Containerd default has that: https://github.com/containerd/containerd/blob/master/oci/spec_unix.go#L87.

Kubernetes doesn't have rlimit support today kubernetes/kubernetes#3595, so it's using the Docker default. We should avoid regression for user switching from Docker to containerd.

@crosbymichael Do you think we should remove this from containerd default, or should cri-containerd do that? Maybe cri-containerd should just use docker/oci.DefaultLinuxSpec()?

[Random-Liu]

@DefunctExodus I discussed with @crosbymichael. To avoid regression, we'll remove the rlimit from the default spec for now.

However, please note that it means all your processes will inherit the limit from containerd. https://github.com/kubernetes-incubator/cri-containerd/blob/master/contrib/systemd-units/containerd.service#L14-L18
This is also the case for the Kubernetes Docker integration today.

[mikebrow]

So really two issues, one is the regression when moving from cri docker, the other is the CRI issue for specifying OCI runtime spec rlimits per pod/containerd.

[aaronchar]

@Random-Liu

Thanks for looking into this so quickly, that fix sounds just fine.

[Random-Liu]

@mikebrow Yeah, the rlimit issue for Kubernetes is tracked in kubernetes/kubernetes#3595.