-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sysctl tunables #4717
Comments
Any comments? |
It would be nice to allow users to change these limits, but we also probably want to default to set them to something lower, as to be able to handle many containers the docker daemon is generally set to a very large ulimit on nr of open files, which then gets inherited by all containers. |
In particular, FD_SETSIZE is set to 1024 by default in most built linux apps, which breaks if the ulimit for nr of open files is > 1024 |
I would like to be able to change some network parameters at runtime without running the container in privileged mode. For example -
|
In order to run a chef server in a container I need to run postgres, which means I need to tune shmmax and shmall. The chef omnibus installer starts postgres to add base users and tables, which I cannot do right now since sysctl requires privileged mode and you can't have privileged build steps. |
does anyone know the current status of this.....its a big deal that I can no longer run 'sysctl -w kernel.shmmax=1067108864' inside a container.......and has literally stopped my Docker use case from working going from 0.11.1 to 1.0.0....the default value that is populated is 32mb and is useless (amazon ec2, default redhat ami) |
Same "kernel.shmmax" issue. Even when kernel.shmmax is set on the host prior to running a container (ubuntu 14.04 based). The limit inside the container is much lower (I don't know where the defaults come from). I can only use privileged mode to change it. |
Is there a work around for setting ulimit -n . I have tried some of the suggestions on the google-group but no luck. cat /proc/$(my_docker_pid>)/limits | grep files UPDATE: when I use google's gcloud compute ssh --container my_container to ssh into the container it does not report correctly |
This is starting to matter. Having control of ulimits seems like something docker needs to handle first-class. |
+1 We too would find it most useful to be able to set sysctl environment. We understand that security dictates locking /proc down but if we could send sysctl things to set via the docker command line i.e. docker run --sysctl net.core.somaxconn=1024 image This would be so awsome. |
The approach proposed on StackOverflow is a security nightmare. I made some research and seems like this feature could be added in HostConfig and be applied right before CAP_SYS_ADMIN is dropped by libcontainer. |
Add |
That works for file limits indeed, but not for net.core.somaxconn for example. |
It also does not allow for jobs to be granted more or less. For example, On Thu, Oct 30, 2014 at 8:37 AM, Jeffrey Gelens notifications@github.com
|
Is anyone from Docker willing to weigh in on this? |
I hope someone will soon. For me this is becoming a choice whether we're going to use Docker or not. Not being able to tune these settings is a no-go for my apps. Really hope this will be possible, Docker is great otherwise. |
If ulimits is something Docker will consider, we could add it to our queue On Tue, Nov 25, 2014 at 11:59 PM, Jeffrey Gelens notifications@github.com
|
Not only ulimit, I also need to be able to change kernel settings like net.core.somaxconn, this was possible in earlier releases. |
Seems like there should be an API for this, and some sane default for the ulimit inside the container. |
👍 for smaxconn |
@tonylampada there's currently an open pull request here; #19265 but it uses a whitelist to only allow |
@thaJeztah interesting! Thanks for pointing that out. |
+1 for somaxconn |
+1's do not help here. If somaxconn is namespaced it can be added, if not, then it can't. |
If it is under net then it will be supported. |
Closed by the addition of |
I have the same question too, when use GDB ,add a
When I google the reason ,I was found that this error can be resoved by change some kernel config like this:
But , as you see ,the Read-only file system error was reported agin, as |
@nilyang you must run this on the host, not in the container... Or if you run it in the container you would have to use --privileged when creating the container. |
@cpuguy83 thanks a lot 👍 Btw, I found another question: this option can only take effect on sh ,but, when I start container with bash , there is no effect at all ~
|
@nilyang It should work either way. The shell has no bearing in tweaking the kernel params. |
@cpuguy83 but it's impossible to use "privileged" with docker service. |
Hii, i am facing a critical issue while running oracle rac database in docker container solely as net.core* parameters are not set in container. I also tried with --net=host but that does not seem to help as it uses host network which limit connectivity between two rac containers and also hinders the installation. Is there any workaround for setting --sysctl net.core* parameters with docker run? |
@Mishi-999 what workaround do you need? This feature is implemented in #19265, and part of docker 1.12 |
Thanks for your response @thaJeztah , i am using Docker-version 1.12.1 on ubuntu 4.4.0-59-generic but running --sysctl net.core.rmem_default=262144 parameter in priviledged mode shows the error - |
@Mishu-999 can you open a new issue with more details and the exact steps to reproduce? |
This might mean that the net/core/rmem_default is not namespaced in the kernel so it can not be set per container. |
@rhatdan which means we should exclude that one from the list? |
@thaJeztah no, thats not helpful. We could maybe improve the error message. |
@thaJeztah No, since we don't know what the list is? :^( This is a case where there is a kernel sysctl which is not namespaced, but currently we believe the all NET* sysctls are namespaced, and that is all we check. |
@thaJeztah created issue #30778 |
@daixiang0 this issue is a feature request, and the feature was implemented last year. If you have a bug to report, please open a new issue with the information that's requested in the issue template that's shown when you open the issue. Make sure your system is fully up-to-date as CentOS uses a rolling update model (i.e. CentOS 7.3 reached end of life after 7.4 was released). I'm locking this issue for comments to prevent it from collecting unrelated issues (which easily go overlooked on closed issues); if you arrive here because you want to report a bug; open a new issue instead, thanks! |
When launching a dockerised process as root it is possible to execute some kind of init script to set sysctl values. But setting right ulimits is actually need the -privileged flag.
When run as user (-u flag) is there a way to do subj? I did not find any in docs.
Setting of any other stuff (like /dev/shm size, #2606) would be great.
The text was updated successfully, but these errors were encountered: