diff --git a/src/container.c b/src/container.c
index 0ac3eff3..078accd1 100644
--- a/src/container.c
+++ b/src/container.c
@@ -384,41 +384,24 @@ static int container_setup_init_layer(struct hyper_container *container,
 
 static int container_setup_sysctl(struct hyper_container *container)
 {
-	int i, size, len, l, fd;
+	int i;
 	struct sysctl *sys;
 
 	for (i = 0; i < container->sys_num; i++) {
 		char path[256];
 
-		len = 0;
 		sys = &container->sys[i];
-		size = strlen(sys->value);
 
 		sprintf(path, "/proc/sys/%s", sys->path);
 		fprintf(stdout, "sysctl %s value %s\n", sys->path, sys->value);
 
-		fd = open(path, O_WRONLY);
-		if (fd < 0) {
-			perror("open file failed");
-			goto out;
-		}
-
-		while (len < size) {
-			l = write(fd, sys->value + len, size - len);
-			if (l < 0) {
-				perror("fail to write sysctl");
-				close(fd);
-				goto out;
-			}
-			len += l;
+		if (hyper_write_file(path, sys->value, strlen(sys->value)) < 0) {
+			fprintf(stderr, "sysctl: write %s to %s failed\n", sys->value, path);
+			return -1;
 		}
-
-		close(fd);
 	}
 
 	return 0;
-out:
-	return -1;
 }
 
 static int container_setup_dns(struct hyper_container *container)
diff --git a/src/init.c b/src/init.c
index 61bfe5c4..2371b0da 100644
--- a/src/init.c
+++ b/src/init.c
@@ -6,6 +6,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
+#include <sys/resource.h>
 #include <fcntl.h>
 #include <dirent.h>
 #include <sched.h>
@@ -1144,6 +1145,8 @@ static int hyper_loop(void)
 	struct epoll_event *events;
 	struct hyper_pod *pod = &global_pod;
 	sigset_t mask, omask;
+	struct rlimit limit;
+	char *filemax = "1000000";
 
 	sigemptyset(&mask);
 	sigaddset(&mask, SIGCHLD);
@@ -1162,6 +1165,31 @@ static int hyper_loop(void)
 	sigdelset(&omask, SIGCHLD);
 	signal(SIGCHLD, hyper_init_sigchld);
 
+	if (hyper_write_file("/proc/sys/fs/file-max", filemax, strlen(filemax)) < 0) {
+		fprintf(stderr, "sysctl: setup default file-max(%s) failed\n", filemax);
+		return -1;
+	}
+
+	// setup open file limit
+	limit.rlim_cur = limit.rlim_max = atoi(filemax);
+	if (setrlimit(RLIMIT_NOFILE, &limit) < 0) {
+		perror("set rlimit for NOFILE failed");
+		return -1;
+	}
+
+	// setup process num limit
+	limit.rlim_cur = limit.rlim_max = 30604;
+	if (setrlimit(RLIMIT_NPROC, &limit) < 0) {
+		perror("set rlimit for NPROC failed");
+		return -1;
+	}
+
+	// setup pending signal limit, same with NRPROC
+	if (setrlimit(RLIMIT_SIGPENDING, &limit) < 0) {
+		perror("set rlimit for SIGPENDING failed");
+		return -1;
+	}
+
 	ctl.efd = epoll_create1(EPOLL_CLOEXEC);
 	if (ctl.efd < 0) {
 		perror("epoll_create failed");
diff --git a/src/util.c b/src/util.c
index 2256fd82..d28b817d 100644
--- a/src/util.c
+++ b/src/util.c
@@ -208,6 +208,29 @@ int hyper_getgrouplist(const char *user, gid_t group, gid_t *groups, int *ngroup
 	return ret;
 }
 
+int hyper_write_file(const char *path, const char *value, size_t len)
+{
+	size_t size = 0, l;
+	int fd = open(path, O_WRONLY);
+	if (fd < 0) {
+		perror("open file failed");
+		return -1;
+	}
+
+	while (size < len) {
+		l = write(fd, value + size, len - size);
+		if (l < 0) {
+			perror("fail to write to file");
+			close(fd);
+			return -1;
+		}
+		size += l;
+	}
+
+	close(fd);
+	return 0;
+}
+
 /* Trim all trailing '/' of a hyper_path except for the prefix one. */
 void hyper_filize(char *hyper_path)
 {
diff --git a/src/util.h b/src/util.h
index 18ab6576..045a8a05 100644
--- a/src/util.h
+++ b/src/util.h
@@ -28,6 +28,7 @@ int hyper_cmd(char *cmd);
 int hyper_create_file(const char *hyper_path);
 void hyper_filize(char *hyper_path);
 int hyper_mkdir(char *path, mode_t mode);
+int hyper_write_file(const char *path, const char *value, size_t len);
 int hyper_open_channel(char *channel, int mode);
 int hyper_open_serial_dev(char *tty);
 int hyper_setfd_cloexec(int fd);