Allow setting ulimits for containers #9437
Conversation
cpuguy83
force-pushed
the
set_rlimits_in_container
branch
from
46ffe5a
to
8036187
Compare
|
|
||
| ``` | ||
| $ docker run --ulimit=nofile:1024:1024 --rm debian ulimit -n | ||
| 1024 |
There was a problem hiding this comment.
No, that would be the output of the run command.
There was a problem hiding this comment.
Ah, sorry, mis-interpreted, I thought -n 1024 😄
|
I like it LGTM |
cpuguy83
force-pushed
the
set_rlimits_in_container
branch
from
8036187
to
61fa833
Compare
|
@SvenDowideit I think it doesn't matter since Docker is setting the limit, which has full host access. |
| @@ -150,7 +150,8 @@ Create a container | |||
| "CapDrop": ["MKNOD"], | |||
| "RestartPolicy": { "Name": "", "MaximumRetryCount": 0 }, | |||
| "NetworkMode": "bridge", | |||
| "Devices": [] | |||
| "Devices": [], | |||
| "Ulimits": {}, | |||
There was a problem hiding this comment.
Sorry for the super nitpicky remark, but I don't think the trailing comma is legal JSON.
|
|
||
| >**Note:** | ||
| > If you do not provide a `hard limit`, the `soft limit` will be used for both | ||
| values. If no ulimits are set, they will inherit from the default ulimits set on |
There was a problem hiding this comment.
Check to make sure you are consistent with code style for all instances of ulimit.
|
Docs LGTM, though I would like that one point clarified, ideally. Thanks. |
cpuguy83
force-pushed
the
set_rlimits_in_container
branch
from
61fa833
to
9681336
Compare
|
@fredlf Updated. |
|
LGTM |
1 similar comment
|
LGTM |
|
@cpuguy83 I'll merge if you can address the conflicts. |
|
sorry i'm doing a flyby here, @fredlf this may be of interest to you, http://blog.spreedly.com/2014/06/24/merge-pull-request-considered-harmful/#.U6w1vY1dVDs |
|
@lexinator doesn't really apply, as this project only uses the merge-pull-request-button - and if you're involved enough that its a problem, you can request a change to the project's processes via PR :) we also have a policy of taking over and updating PR's for contributors - but @cpuguy83 is a pretty core contributor, so :) |
| @@ -232,6 +233,9 @@ Json Parameters: | |||
| - **Devices** - A list of devices to add to the container specified in the | |||
| form | |||
| `{ "PathOnHost": "/dev/deviceName", "PathInContainer": "/dev/deviceName", "CgroupPermissions": "mrw"}` | |||
| - **Ulimits** - A list of ulimits to be set in the container, specified as | |||
| `<type>: { "Soft": <soft limit>, "Hard": <hard limit> }`, for example: | |||
| `Ulimits: { "nofile": { "Soft": 1024, "Hard", 2048 }}` | |||
There was a problem hiding this comment.
I think you need to revert changes to v1.16 and add apply them to v1.17 now.
|
Talked with @crosbymichael: we believe this would get merged if you submitted an implementation. Do you want to close this one and make a new PR when ready, or add new commits here? |
cpuguy83
force-pushed
the
set_rlimits_in_container
branch
from
9681336
to
61445a5
Compare
|
I plan to test this when there's code. |
|
Working on it. I'll put commits here. |
cpuguy83
force-pushed
the
set_rlimits_in_container
branch
from
61445a5
to
d407d43
Compare
|
Ok, it's done, tear it up! Note, I changed the the HostConifg->Ulimits field to be an array instead of map. |
cpuguy83
force-pushed
the
set_rlimits_in_container
branch
from
d407d43
to
4a63d3f
Compare
|
@cpuguy83 makes sense, I see it in the docs now, no idea how I missed that. Thanks. |
|
what is this waiting on? |
Allow setting ulimits for containers
|
How can one provide RLIM_INFINITY value as per resource.h or equivalent of providing |
|
@liquid-sky it is unsupported. There really isn't an unlimited, it's just a really high value. |
|
UPDATE: It seems that ulimit subsystem is not namespaced and applies limits to all processes based only on UID/GID. Original post: I cannot figure out why it happens, but it seems that resources that are limited by ulimit are counted across containers. Here is an example: If I run one container with Terminal $ docker run -it --rm --ulimit 'nproc=2' --user nobody debian bash
nobody@7005f259a827:/$Terminal $ docker run -it --rm --ulimit 'nproc=2' --user nobody debian bash
resource temporarily unavailable
FATA[0000] Error response from daemon: Cannot start container 589299c070779487462393fcb04df05d619d2debe1b1197c41587ee53c2283b8: [8] System error: resource temporarily unavailableI tested this on Ubuntu 14.04 (kernel 3.16) and Ubuntu 12.04 (kernel 3.13), Docker 1.6.0. |
|
After some digging, it seems |
|
Note: another part of discussion is going in #6479 (Fork bomb prevention) and will probably continue there. |
|
So how to set the Ulimit? Can it be done per container wise? I seem to be clueless with the discussions happening in this thread.. Can someone help please. |
|
[root@localhost ~]# docker run --ulimit core=unlimited -t ubuntu:12.04 bash -c "ulimit -c" Unlimited is not a recognized keyword here. My docker version is the latest 1.7. [root@localhost ~]# docker version Also setting big values doesn't help here. [root@localhost ~]# docker run --ulimit core=99999 -t ubuntu:12.04 bash -c "ulimit -c" It sets only 97. |
|
Hi @ashish235 please keep in mind that GitHub is an issue tracker, and not a general support forum. A number of things I noticed; first of all, although your daemon is 1.7.1, your client is still at 1.6.2, so you might want to update that as well. There were some fixes to ulimits in docker 1.7.x, but I'm not sure if those fixes were in the client or daemon, so this may be worth checking. (#12515) W.r.t. "unlimited"; #12515 (comment)
W.r.t. "setting big values doesn't help here"; please note this comment: #12957 (comment)
Converting 99999 to kb; https://www.google.com/search?q=99999%20bytes%20in%20kibibyte I get "97", so this looks right |
First attempt: most probably Docker.io would not honor the values in /etc/security etc. so this would not work:
# Core Generation: http://www.opensips.org/Documentation/TroubleShooting-Crash
RUN \
echo -n -e 'opensips soft core unlimited\nopensips hard core unlimited\n' >> /etc/security/limits.conf \
&& \
echo -n -e 'fs.suid_dumpable = 1\nkernel.core_uses_pid = 1\n' >> /etc/sysctl.conf
See e.g. moby/moby#9437
Closes #4717
Add option to set ulimit settings for containers.
Currently the container inherits from the daemon's ulimit settings.
Support for this was added in libcontainer here docker-archive/libcontainer@7ce34f5