New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set LimitNOFILE=1024:524288
for crio.service
#7703
Comments
@polarathene, thank you for getting in touch! This does make sense. Users can always set the following: [crio.runtime]
default_ulimits=[
"nofile=1024:1048576",
] If they really wish to override the inherited default. |
/assign kwilczynski |
Also, interestingly, we don't support |
Speaking of Podman, any issues with how they set limits @polarathene? |
Many applications do not raise the soft limit automatically because it was never the responsibility of the application. |
@champtar, this issue has a strong "ain't broken, don't fix it vibe". Would this be what you are getting at? We can:
The former requires, perhaps, an update to the existing documentation that clearly explains the defaults and the side effects for some applications that need lower limits due to some of their design choices. The latter would be a rather lengthy deprecation process. We should be cautious not to break OpenShift with this sort of change. |
Response to @champtar
It absolutely is. If the software needs more than the soft limit available, and the hard limit permits that, it should communicate that to the kernel. I have told you this once before @champtar but please see this link for why the soft limit is intended to stay at 1024. If you know everything you're running in your container is not impacted by that (such as when you use a Cite me one distro that actually deviates from the system default soft limit as set above 1024. I don't think you'll find this to be the case with anything like Ubuntu, Debian, RHEL, Fedora, openSUSE, ArchLinux, Alpine, etc. If you do find something, it's more than likely niche / container-focused which doesn't inspire much confidence. You are trying to justify the container environment to be inconsistent with a typical host because of a misconfiguration that has existed for a long time due to no one having the time to invest to resolve answering why it was a mistake. It caused various bugs that I have linked you to which were non-obvious to troubleshoot the cause.
These projects tend to follow Dockers own config changes in my experience. The PR for this project has very little context regarding the decision, nor review comments on it which suggests at the time they didn't really understand it to have any feedback / question it (we get busy and don't always have time, so changes like this can slip through). The fact it wasn't changed since doesn't mean it didn't cause any problems. Look at the ones related to Docker that I've cited, these span over many years, some not realizing the cause, or implementing their own workaround/fix (some with bad advice). The Docker / containerd change was discussed for well over a year IIRC with some maintainer feedback before I pushed for it with sufficient evidence to justify it.
Question, if you have a container with three processes:
How do you approach this?:
If you need the soft limit to be raised for software deployed at workloads requiring the limit to be that high then the software should handle this. Especially when it's software that's well funded and/or used heavily by businesses, why can't it implement the correct behaviour instead of negatively impacting other software by being lazy? A separate soft limit exists for a reason and it should be respected.
Plenty of software can work in production just fine. If it's not, then as I've said already, that software is most likely only deployed in containerized environments and has depended upon misconfiguration of the container runtime to work without facing this issue. Outside of a container, it'd be stuck with 1024, or a package that explicitly bundles a systemd unit (or similar) or documents (like you'll find with MongoDB and Kafka) the need for a higher soft limit if the software is incapable of raising one for some reason. I'd love to know why the software can't do what Go does and just raise the soft limit implicitly to the hard limit at runtime (since that's what is unofficially expected from software like Envoy). Not all software will be compatible with that, but the software you're referring to generally knows when it needs that. For production deployments, it's better that you are explicit about such a requirement when it's needed. Rather than troubleshooting to identify it as the cause when it's caused a bug/regression (which is notably harder to track from a limit too high vs too low). You can use drop-in override configs for systemd, or if you don't have the ability to manage the host at that level have your service provide provide the ability to raise this default limit to meet your business needs, it shouldn't be imposed upon all businesses though when that software would have functioned correctly outside of a container. |
Response to @kwilczynski
I am not that familiar with podman beyond name. I had a quick look over their Github repo and the only There is this Go file for their
I assume that's only for their
If you have no reports from your users about issues running software like I've referenced you don't need to do anything. You can also wait and see how Docker v25.0 and Containerd v2.0 manage this change to see if they revert it.
I have illustrated in the reproduction example above how it does regress, but most of your users are unlikely to notice it as it's not severely disruptive and those who do know better can likely find out about the issue now and resolve it locally with an override.
So besides the minor regression from the As @champtar notes, it's less likely to be severe as no one has really reported issues that have pin pointed the |
FYI a similar change exploded EKS for many large customers. awslabs/amazon-eks-ami#1551 |
@polarathene you are answering without taking into account my answer at containerd/containerd#8924 (comment) ulimit on the host has been set by pam_limits or systemd LimitNOFILE since forever, and in containers there was no need to raise soft limit because it was high enough 99% of the time. The question is not if we can fix everything, it's: has anyone started to identify what will break (you have clearly not), opened the bug and or PR and argue to have them merge, have we given enough time. @kwilczynski @polarathene I would be ok with a good 1 year minimum deprecation notice, with a blog post explaining why, and posting it on social media for awareness so people can start fixing images. Right now the docker/containerd plan is to make the change and see what breaks, without trying to prepare for it, or even mention it in the release notes !!! (https://github.com/moby/moby/releases/tag/v25.0.0 / https://github.com/containerd/containerd/releases/tag/v2.0.0-beta.1)
This is what will happen in many images if you lower soft limit to 1024, everyone will have to add entrypoints waiting for software to be "fixed"
It might only need 10240, but 1024 is a crazy low number
Again and again, outside of k8s you can set the ulimits just fine (pam_ulimits or systemd), and it's not because systemd folks says that application should raise the soft limit if needed that this is how things are done today. Instead of responding again with a pile of text, please go through the most pulled image from docker.io and see for yourself the work in front of us. |
Apologies for the verbosity again (not intentional). You may find the bullet point list of insights with software you mentioned worthwhile. Everything else we're mostly going in circles, with neither of us likely to change our opinion on what is correct. I'm not particularly interested in continuing the discussion. I've cited a huge amount of resources for why the change is appropriate.
If you want to push for an implicit reliance on the soft limit being artificially high in container environments by default for your convenience, then do so with proper reproductions that demonstrate the failure in action. If you can do this with enough popular images / software impacted outside of a production context, you could most likely convince maintainers to revert the change as it'd impact UX at a wider scale where they may be better off documenting the difference in a container environment, and the potential hard to troubleshoot breakage/regressions for software running in a container. At
I did try, see this comment where I detail reproduction related to the original motivation for the I did extensively look into the history as best I could for software that actually needed higher limits.
Because ideally they get spotted and fixed? Kind of how bug reports work when the cause can be identified. I've seen projects with bug reports, but no one knew how to track down the actual cause at the time to resolve it.
For reference, Docker set
So what takeaways do we have from all that?
I'd like to also highlight this:
Even if the project itself removes How do you want to properly test for that without trawling through source code of various projects, or only caring about coverage of the happy paths?
I agree about the importance to communicate such a change.
For cri-o, if there is no bug reports like the other projects that adopted the change had. Then there really is no rush, just observe. Plenty of information in this issue thread should a problem related to it arise 👍
It was done on some projects (often poorly) when it was the other way around. Why are you against software compatibility between a host and container deployment? I often find containers are great at providing a reproduction example environment for bug reports, but it doesn't help when defaults introduce bugs (like my local test suite run failing when CI was fine). Raising the soft limit when it's needed is often documented / supported for projects that have that need. You'd need to do it on the host, that should carry over to the container IMO. Realistically, the demographic shifts from small projects / images to bigger ones deployed in a production context, as does the people behind all that. It's not a big ask for a business to configure the host to use a higher global soft limit default for containers, be that your company or a service host you rely on.
Yes it's low. Why should it be different for container environments? Many of the software you cited are not run exclusively in containers and have support for raising the soft limit (or documenting awareness), where is all the complaints related to that? If you are to push for a slightly higher bump disregarding the
Raise that issue with the k8s devs? Surely they have the resources and capabilities to accommodate such a tunable?
Alternatively if you're dependent upon the Updates won't mess with that then, your override will always have precedence. Easy for a local fix, and I'd expect a non-issue for production deployments (unless this is abstracted by a service provider, then raise an issue with them about this, you're their customer and pay them to meet your business needs).
I ironically never expect my responses to be as verbose as they end up 🤷♂️ It's not intentional sorry, but I don't have the time to condense it. I saw your examples for the mentioned software in your linked containerd comment, you just pulled the image and checked if it increased limits at runtime implicitly. See the above part of my response here where that's not sufficient. You'd be better off demonstrating a reproduction of where it's an actual problem. As stated, just because the soft limit is 1024 per process by default, doesn't mean the software is limited to 1024 FDs. Those that spawn worker processes like nginx are granted 1024 FDs to work with each, it is not shared with the parent process. If you want to debate this, why should something like Python Why is your concern with production deployments with software like databases and webservers such a big point of friction for you that you can't adjust the limits? (If it's due to k8s and the override support isn't viable for some reason, perhaps you should be focusing your time and attention on getting that resolved instead?) |
Since the bot wants to reassign you and discussion died down here. I don't mind closing this issue as "not planned" 👍 I don't use There is risk by applying this risks breaking the deployments of those that relied on the bad config. The limit currently configured isn't going to be as visible in impact (as opposed to For reference, here is the release notes for Docker v25 on this change: You can see that while they state the previous value was They also mention the drop-in override config support for those that need to apply this change, and that once the related containerd update lands it'll have a wider impact. |
A friendly reminder that this issue had no activity for 30 days. |
/remove-lifecycle stale |
What happened?
I was recently made aware of this configuration line (contributed Oct 2016):
cri-o/contrib/systemd/crio.service
Line 20 in 91816d7
Quite a bit has changed since then, notably with systemd v240 release in 2018Q4. Both Docker and Containerd projects have recently removed the line from their configs to rely on the
1024:524288
default systemd v240 provides (unless the system has been configured explicitly to some other value, which the system administrator may do so when they know they need higher limits).You can find insights related to those PRs, along with a third link to the Envoy project (as an example of a popular software that presently does not raise it's soft limit or document that requirement, but has depended upon this implicit config in the environment) where the linked comment details why the soft limit should be
1024
to avoid software incompatibility:RLIMIT_NOFILE
(LimitNOFILE) to sensible defaults moby/moby#45534LimitNOFILE
fromcontainerd.service
containerd/containerd#8924This issue is raised to suggest consider applying the same change.
Either:
LimitNOFILE=1024:524288
with contextual comment.What did you expect to happen?
For
LimitNOFILE
to have a soft limit of1024
, so that software running in a container operates with the same environment defaults of the host system.Raising the default soft limit should be done explicitly by the admin, or via the process that needs it implicitly (see Python reproduction below for an example of this).
How can we reproduce it (as minimally and precisely as possible)?
Commands
I am not familiar with
cri-o
, but the equivalent Docker commands demonstrate the difference (which forLimitNOFILE=1048576
can be more subtle, for examplepostsrsd
would be <500ms vs 8 minutes):Sources
python_close_individual.py
:python_close_range.py
:Reproduction references:
ENABLE_SRS=1
causing high CPU usage withpostsrsd
docker-mailserver/docker-mailserver#2722 (comment)Anything else we need to know?
While containerd is yet to publish a release with this change AFAIK (should be scheduled for v2.0), AWS eagerly adopted the change and promptly reverted it due to customer feedback with some software failing to communicate a request for a higher soft limit (some AWS specific software and Envoy are known examples).
AWS can provide a higher
LimitNOFILE
configuration if that better suits their users (despite the referenced1024
soft limit concerns, or the difficult to troubleshoot issues withLimitNOFILE=infinity
), but that should be a vendor decision while projects likecri-o
actually fix the bug.LimitNOFILE=1048576
is not as bad asLimitNOFILE=infinity
, however:1,000x
less but affected deployments would still be allocating1,000x
more than they may need. Java runtime was also identified as another culprit.yum
(NOTE: PowerDNS had to workaround due to 6 hours image build time, however that was due to a2^30
, not2^20
limit)zypper
(NOTE:LimitNOFILE=1048576
taking 30-60 minutes, could be much faster)dnf
CRI-O and Kubernetes version
N/A
OS version
N/A
Test reproduction environment was WSL2 (Ubuntu), but previously was Arch Linux and Fedora.
Additional environment details (AWS, VirtualBox, physical, etc.)
The text was updated successfully, but these errors were encountered: