[containerd] Limit number of open files per container

[fungusakafungus]

by setting a default runtime spec with a patch for RLIMIT_NOFILE.

Introduces containerd_base_runtime_spec_rlimit_nofile, with default of 16384

Slightly more aggressive version of #9302

• uses base_runtime_spec by default
• sets max number of open files per container by default to containerd_base_runtime_spec_rlimit_nofile: 16384

This is the version I would use in production.

What type of PR is this?
/kind feature

What this PR does / why we need it:
See #9302

Does this PR introduce a user-facing change?:

[containerd] Newly started containers will be limited to 16384 open files. To change this number, set `containerd_base_runtime_spec_rlimit_nofile`, or remove `base_runtime_spec` from runc runtime to revert to previous behaviour.

[k8s-ci-robot]

Hi @fungusakafungus. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[fungusakafungus]

Very useful test failures. This would break every cluster! (as it just did with ours)

[fungusakafungus]

Fixed and ready for review. The result can be seen in any new pod with a shell like this:

$ kubectl exec some-pod-with-sh -- sh -c 'ulimit -n'
16384

CI was broken because the cri-base.json file was generated some time ago by a previous containerd version. Now this file is generated on-the-fly.

[fungusakafungus]

To the default limit of open files of 16,384:
containerd sets a limit of 1,048,576 for all running containers in its systemd unit: containerd/containerd#3202
max pods per node is usually 110, if all would would be running and using max open files, we'd have 16,384 x 110 = 1,802,240 open files, close enough.

[mzaian]

/ok-to-test
/assign @oomichi

[oomichi]

To the default limit of open files of 16,384: containerd sets a limit of 1,048,576 for all running containers in its systemd unit: containerd/containerd#3202 max pods per node is usually 110, if all would would be running and using max open files, we'd have 16,384 x 110 = 1,802,240 open files, close enough.

Thanks for explaining the reason of the default value.
That seems reasonable to change it here.
In addition, it is nice to generate the default config file with ctr command in a task instead of the static file.

/approve

[floryut]

/lgtm
@fungusakafungus Thank you, seems like a nice way to do it!

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: floryut, fungusakafungus, oomichi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [floryut,oomichi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment