sysctl tunables

[q53]

When launching a dockerised process as root it is possible to execute some kind of init script to set sysctl values. But setting right ulimits is actually need the -privileged flag.
When run as user (-u flag) is there a way to do subj? I did not find any in docs.
Setting of any other stuff (like /dev/shm size, #2606) would be great.

[q53]

Any comments?

[alexlarsson]

It would be nice to allow users to change these limits, but we also probably want to default to set them to something lower, as to be able to handle many containers the docker daemon is generally set to a very large ulimit on nr of open files, which then gets inherited by all containers.

[alexlarsson]

In particular, FD_SETSIZE is set to 1024 by default in most built linux apps, which breaks if the ulimit for nr of open files is > 1024

[jeffbaier]

I would like to be able to change some network parameters at runtime without running the container in privileged mode. For example -

root@d7cbfe215281:~# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
-bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Read-only file system

[jhulten]

In order to run a chef server in a container I need to run postgres, which means I need to tune shmmax and shmall. The chef omnibus installer starts postgres to add base users and tables, which I cannot do right now since sysctl requires privileged mode and you can't have privileged build steps.

[tinytelly]

does anyone know the current status of this.....its a big deal that I can no longer run 'sysctl -w kernel.shmmax=1067108864' inside a container.......and has literally stopped my Docker use case from working going from 0.11.1 to 1.0.0....the default value that is populated is 32mb and is useless (amazon ec2, default redhat ami)

[mcieslik-mctp]

Same "kernel.shmmax" issue. Even when kernel.shmmax is set on the host prior to running a container (ubuntu 14.04 based). The limit inside the container is much lower (I don't know where the defaults come from). I can only use privileged mode to change it.

[timcash]

Is there a work around for setting ulimit -n . I have tried some of the suggestions on the google-group but no luck.

cat /proc/$(my_docker_pid>)/limits | grep files
shows that setting ulimit -n 65000 and restarting the daemon works but none of the containers I start after this seem to inherit that. I need this to work so I can run things like a database in a docker file

UPDATE:
so when I use nsenter from the host ulimit -a is reporting correctly.

when I use google's gcloud compute ssh --container my_container to ssh into the container it does not report correctly

[thockin]

This is starting to matter. Having control of ulimits seems like something docker needs to handle first-class.

[freman]

+1

We too would find it most useful to be able to set sysctl environment.

We understand that security dictates locking /proc down but if we could send sysctl things to set via the docker command line

i.e. docker run --sysctl net.core.somaxconn=1024 image

This would be so awsome.

[gdm85]

The approach proposed on StackOverflow is a security nightmare.

I made some research and seems like this feature could be added in HostConfig and be applied right before CAP_SYS_ADMIN is dropped by libcontainer.
See also docker-archive/libcontainer#237, that would introduce a per-container blacklist for syscalls (including sysctl).

[irachex]

Add ulimit -n 65536 in /etc/init.d/docker's prestart function works for me

[jgelens]

That works for file limits indeed, but not for net.core.somaxconn for example.

[thockin]

It also does not allow for jobs to be granted more or less. For example,
we have a fairly tight restriction on this internally, and a flag that jobs
have to ask for to be granted more.

On Thu, Oct 30, 2014 at 8:37 AM, Jeffrey Gelens notifications@github.com
wrote:

That works for file limits indeed, but not for net.core.somaxconn for
example.

Reply to this email directly or view it on GitHub
#4717 (comment).

[thockin]

Is anyone from Docker willing to weigh in on this?

[jgelens]

I hope someone will soon. For me this is becoming a choice whether we're going to use Docker or not. Not being able to tune these settings is a no-go for my apps. Really hope this will be possible, Docker is great otherwise.

[thockin]

If ulimits is something Docker will consider, we could add it to our queue
of things to do if nobody beats us to it. This is not particularly hard, I
hope.

On Tue, Nov 25, 2014 at 11:59 PM, Jeffrey Gelens notifications@github.com
wrote:

I hope someone will soon. For me this is becoming a choice whether we're
going to use Docker or not. Not being able to tune these settings is a
no-go for my apps. Really hope this will be possible, Docker is great
otherwise.

Reply to this email directly or view it on GitHub
#4717 (comment).

[jgelens]

Not only ulimit, I also need to be able to change kernel settings like net.core.somaxconn, this was possible in earlier releases.

[cpuguy83]

Seems like there should be an API for this, and some sane default for the ulimit inside the container.
In #8231 it was pointed out that slapd is going nuts with the high open file limit.

[tonylampada]

👍 for smaxconn
(You can me to that list too :-))

[thaJeztah]

@tonylampada there's currently an open pull request here; #19265 but it uses a whitelist to only allow sysctls that are namespaced.

[tonylampada]

@thaJeztah interesting! Thanks for pointing that out.

[georgmzimmer]

+1 for somaxconn

[cpuguy83]

+1's do not help here.

If somaxconn is namespaced it can be added, if not, then it can't.
Based on the implementation in #19265, it looks like it is and will be supported.

[rhatdan]

If it is under net then it will be supported.

[cpuguy83]

Closed by the addition of --sysctl in #19265.

[nilyang]

I have the same question too, when use GDB ,add a break point ,then run, all ok but report an error:

warning: Error disabling address space randomization: Operation not permitted

When I google the reason ,I was found that this error can be resoved by change some kernel config like this:

root@7639183e92d0:~# sysctl -w kernel.randomize_va_space=0
sysctl: setting key "kernel.randomize_va_space": Read-only file system

But , as you see ,the Read-only file system error was reported agin, as Operation not permitted.
I hope that this issue can help me .

[cpuguy83]

@nilyang you must run this on the host, not in the container... Or if you run it in the container you would have to use --privileged when creating the container.

[nilyang]

@cpuguy83 thanks a lot 👍 Btw, I found another question: this option can only take effect on sh ,but, when I start container with bash , there is no effect at all ~
Yes, my docker containers was runing on windows 10 , but I do not know why. Tody I send my question to my friend , who has a docker installed and runing containers on MacOS , and he's result was OK on both bash and sh . After all ,I doubt that the only diffences about container from my friend's and mine is OS.

Is there some bug on windows 10 for docker (when use --privileged )?

[cpuguy83]

@nilyang It should work either way. The shell has no bearing in tweaking the kernel params.

[vingrad]

@cpuguy83 but it's impossible to use "privileged" with docker service.
WARNING: unsupported parameter privileged

[Mishi-999]

Hii, i am facing a critical issue while running oracle rac database in docker container solely as net.core* parameters are not set in container. I also tried with --net=host but that does not seem to help as it uses host network which limit connectivity between two rac containers and also hinders the installation.

Is there any workaround for setting --sysctl net.core* parameters with docker run?
Thanks in advance.

[thaJeztah]

@Mishi-999 what workaround do you need? This feature is implemented in #19265, and part of docker 1.12

[Mishi-999]

Thanks for your response @thaJeztah , i am using Docker-version 1.12.1 on ubuntu 4.4.0-59-generic but running --sysctl net.core.rmem_default=262144 parameter in priviledged mode shows the error -
docker: Error response from daemon: oci runtime error: open /proc/sys/net/core/rmem_default: no such file or directory.
Parameters are set in /etc/sysctl.conf and yet on running sysctl -a i am unable to grep "net.core.rmem_default = 262144".
Can u please guide me in this issue.Sorry for bothering as i am new to docker.

[thaJeztah]

@Mishu-999 can you open a new issue with more details and the exact steps to reproduce?

[rhatdan]

This might mean that the net/core/rmem_default is not namespaced in the kernel so it can not be set per container.

[thaJeztah]

@rhatdan which means we should exclude that one from the list?

[justincormack]

@thaJeztah no, thats not helpful. We could maybe improve the error message.

[rhatdan]

@thaJeztah No, since we don't know what the list is? :^( This is a case where there is a kernel sysctl which is not namespaced, but currently we believe the all NET* sysctls are namespaced, and that is all we check.

[Mishi-999]

@thaJeztah created issue #30778

[thaJeztah]

@daixiang0 this issue is a feature request, and the feature was implemented last year. If you have a bug to report, please open a new issue with the information that's requested in the issue template that's shown when you open the issue. Make sure your system is fully up-to-date as CentOS uses a rolling update model (i.e. CentOS 7.3 reached end of life after 7.4 was released).

I'm locking this issue for comments to prevent it from collecting unrelated issues (which easily go overlooked on closed issues); if you arrive here because you want to report a bug; open a new issue instead, thanks!