New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow setting ulimits for containers #9437
Conversation
46ffe5a
to
8036187
Compare
|
||
``` | ||
$ docker run --ulimit=nofile:1024:1024 --rm debian ulimit -n | ||
1024 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unintended wrapping?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, that would be the output of the run command.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, sorry, mis-interpreted, I thought -n 1024
😄
I like it LGTM |
8036187
to
61fa833
Compare
@SvenDowideit I think it doesn't matter since Docker is setting the limit, which has full host access. |
@@ -150,7 +150,8 @@ Create a container | |||
"CapDrop": ["MKNOD"], | |||
"RestartPolicy": { "Name": "", "MaximumRetryCount": 0 }, | |||
"NetworkMode": "bridge", | |||
"Devices": [] | |||
"Devices": [], | |||
"Ulimits": {}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the super nitpicky remark, but I don't think the trailing comma is legal JSON.
|
||
>**Note:** | ||
> If you do not provide a `hard limit`, the `soft limit` will be used for both | ||
values. If no ulimits are set, they will inherit from the default ulimits set on |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"...they will be inherited"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check to make sure you are consistent with code style
for all instances of ulimit
.
Docs LGTM, though I would like that one point clarified, ideally. Thanks. |
61fa833
to
9681336
Compare
@fredlf Updated. |
LGTM |
1 similar comment
LGTM |
@cpuguy83 I'll merge if you can address the conflicts. |
sorry i'm doing a flyby here, @fredlf this may be of interest to you, http://blog.spreedly.com/2014/06/24/merge-pull-request-considered-harmful/#.U6w1vY1dVDs |
@lexinator doesn't really apply, as this project only uses the merge-pull-request-button - and if you're involved enough that its a problem, you can request a change to the project's processes via PR :) we also have a policy of taking over and updating PR's for contributors - but @cpuguy83 is a pretty core contributor, so :) |
@@ -232,6 +233,9 @@ Json Parameters: | |||
- **Devices** - A list of devices to add to the container specified in the | |||
form | |||
`{ "PathOnHost": "/dev/deviceName", "PathInContainer": "/dev/deviceName", "CgroupPermissions": "mrw"}` | |||
- **Ulimits** - A list of ulimits to be set in the container, specified as | |||
`<type>: { "Soft": <soft limit>, "Hard": <hard limit> }`, for example: | |||
`Ulimits: { "nofile": { "Soft": 1024, "Hard", 2048 }}` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you need to revert changes to v1.16 and add apply them to v1.17 now.
Talked with @crosbymichael: we believe this would get merged if you submitted an implementation. Do you want to close this one and make a new PR when ready, or add new commits here? |
9681336
to
61445a5
Compare
I plan to test this when there's code. |
Working on it. I'll put commits here. |
61445a5
to
d407d43
Compare
Ok, it's done, tear it up! Note, I changed the the HostConifg->Ulimits field to be an array instead of map. |
d407d43
to
4a63d3f
Compare
@cpuguy83 makes sense, I see it in the docs now, no idea how I missed that. Thanks. |
what is this waiting on? |
Allow setting ulimits for containers
How can one provide RLIM_INFINITY value as per resource.h or equivalent of providing |
@liquid-sky it is unsupported. There really isn't an unlimited, it's just a really high value. |
UPDATE: It seems that ulimit subsystem is not namespaced and applies limits to all processes based only on UID/GID. Original post: I cannot figure out why it happens, but it seems that resources that are limited by ulimit are counted across containers. Here is an example: If I run one container with Terminal $ docker run -it --rm --ulimit 'nproc=2' --user nobody debian bash
nobody@7005f259a827:/$ Terminal $ docker run -it --rm --ulimit 'nproc=2' --user nobody debian bash
resource temporarily unavailable
FATA[0000] Error response from daemon: Cannot start container 589299c070779487462393fcb04df05d619d2debe1b1197c41587ee53c2283b8: [8] System error: resource temporarily unavailable I tested this on Ubuntu 14.04 (kernel 3.16) and Ubuntu 12.04 (kernel 3.13), Docker 1.6.0. |
After some digging, it seems |
Note: another part of discussion is going in #6479 (Fork bomb prevention) and will probably continue there. |
So how to set the Ulimit? Can it be done per container wise? I seem to be clueless with the discussions happening in this thread.. Can someone help please. |
[root@localhost ~]# docker run --ulimit core=unlimited -t ubuntu:12.04 bash -c "ulimit -c" Unlimited is not a recognized keyword here. My docker version is the latest 1.7. [root@localhost ~]# docker version Also setting big values doesn't help here. [root@localhost ~]# docker run --ulimit core=99999 -t ubuntu:12.04 bash -c "ulimit -c" It sets only 97. |
Hi @ashish235 please keep in mind that GitHub is an issue tracker, and not a general support forum. A number of things I noticed; first of all, although your daemon is 1.7.1, your client is still at 1.6.2, so you might want to update that as well. There were some fixes to ulimits in docker 1.7.x, but I'm not sure if those fixes were in the client or daemon, so this may be worth checking. (#12515) W.r.t. "unlimited"; #12515 (comment)
W.r.t. "setting big values doesn't help here"; please note this comment: #12957 (comment)
Converting 99999 to kb; https://www.google.com/search?q=99999%20bytes%20in%20kibibyte I get "97", so this looks right |
First attempt: most probably Docker.io would not honor the values in /etc/security etc. so this would not work: # Core Generation: http://www.opensips.org/Documentation/TroubleShooting-Crash RUN \ echo -n -e 'opensips soft core unlimited\nopensips hard core unlimited\n' >> /etc/security/limits.conf \ && \ echo -n -e 'fs.suid_dumpable = 1\nkernel.core_uses_pid = 1\n' >> /etc/sysctl.conf See e.g. moby/moby#9437
Closes #4717
Add option to set ulimit settings for containers.
Currently the container inherits from the daemon's ulimit settings.
Support for this was added in libcontainer here docker-archive/libcontainer@7ce34f5