Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cri: set default RLIMIT_NOFILE #1180

Merged
merged 1 commit into from
Nov 6, 2020
Merged

cri: set default RLIMIT_NOFILE #1180

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 88 additions & 0 deletions packages/containerd/3001-cri-set-default-RLIMIT_NOFILE.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
From 64deef11da4cf532ea9d82cc499f5174a8907e29 Mon Sep 17 00:00:00 2001
From: Zac Mrowicki <[email protected]>
Date: Thu, 22 Oct 2020 20:44:38 +0000
Subject: [PATCH] cri: set default RLIMIT_NOFILE

The `cri` plugin currently inherits the limit from the default OCI spec
or the containerd process. This change sets the default hard
RLIMIT_NOFILE to 1048576 and the soft limit to 65536 in the OCI spec for
any container spawned using `cri`.
---
vendor/github.com/containerd/cri/pkg/config/config.go | 8 ++++++++
.../containerd/cri/pkg/containerd/opts/spec.go | 11 +++++++++++
.../containerd/cri/pkg/server/container_create.go | 11 +++++++++++
3 files changed, 30 insertions(+)

diff --git a/vendor/github.com/containerd/cri/pkg/config/config.go b/vendor/github.com/containerd/cri/pkg/config/config.go
index 7c5f9eb..772bf28 100644
--- a/vendor/github.com/containerd/cri/pkg/config/config.go
+++ b/vendor/github.com/containerd/cri/pkg/config/config.go
@@ -204,6 +204,12 @@ type PluginConfig struct {
// DisableProcMount disables Kubernetes ProcMount support. This MUST be set to `true`
// when using containerd with Kubernetes <=1.11.
DisableProcMount bool `toml:"disable_proc_mount" json:"disableProcMount"`
+ // ProcessRLimitNoFileSoft sets the soft limit of maximum file
+ // descriptors each container process can use.
+ ProcessRLimitNoFileSoft int `toml:"process_rlimit_no_file_soft" json:"process_rlimit_no_file_soft"`
+ // ProcessRLimitNoFileHard sets the hard limit of maximum file
+ // descriptors each container process can use.
+ ProcessRLimitNoFileHard int `toml:"process_rlimit_no_file_hard" json:"process_rlimit_no_file_hard"`
}

// X509KeyPairStreaming contains the x509 configuration for streaming
@@ -271,6 +277,8 @@ func DefaultConfig() PluginConfig {
},
MaxConcurrentDownloads: 3,
DisableProcMount: false,
+ ProcessRLimitNoFileSoft: 65536,
+ ProcessRLimitNoFileHard: 1048576,
}
}

diff --git a/vendor/github.com/containerd/cri/pkg/containerd/opts/spec.go b/vendor/github.com/containerd/cri/pkg/containerd/opts/spec.go
index 0da421a..445c279 100644
--- a/vendor/github.com/containerd/cri/pkg/containerd/opts/spec.go
+++ b/vendor/github.com/containerd/cri/pkg/containerd/opts/spec.go
@@ -48,6 +48,17 @@ const (
DefaultSandboxCPUshares = 2
)

+// WithProcessRLimits sets the RLimits for this container process
+func WithProcessRLimits(rlimits []runtimespec.POSIXRlimit) oci.SpecOpts {
+ return func(ctx context.Context, client oci.Client, c *containers.Container, s *runtimespec.Spec) (err error) {
+ if s.Process == nil {
+ s.Process = &runtimespec.Process{}
+ }
+ s.Process.Rlimits = rlimits
+ return nil
+ }
+}
+
// WithAdditionalGIDs adds any additional groups listed for a particular user in the
// /etc/groups file of the image's root filesystem to the OCI spec's additionalGids array.
func WithAdditionalGIDs(userstr string) oci.SpecOpts {
diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create.go b/vendor/github.com/containerd/cri/pkg/server/container_create.go
index d35fff3..c665973 100644
--- a/vendor/github.com/containerd/cri/pkg/server/container_create.go
+++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go
@@ -335,6 +335,17 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
// this will be set based on the security context below
oci.WithNewPrivileges,
}
+
+ // Override the default oci.Spec RLIMIT_NOFILE
+ var rlimits = []runtimespec.POSIXRlimit {
+ {
+ Type: "RLIMIT_NOFILE",
+ Hard: uint64(c.config.PluginConfig.ProcessRLimitNoFileHard),
+ Soft: uint64(c.config.PluginConfig.ProcessRLimitNoFileSoft),
+ },
+ }
+ specOpts = append(specOpts, customopts.WithProcessRLimits(rlimits))
+
if config.GetWorkingDir() != "" {
specOpts = append(specOpts, oci.WithProcessCwd(config.GetWorkingDir()))
} else if imageConfig.WorkingDir != "" {
--
2.21.0

4 changes: 4 additions & 0 deletions packages/containerd/containerd.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ Patch1001: 1001-cri-reduce-logging-when-no-errors-have-occurred.patch
Patch2001: 2001-selinux-add-DefaultLabels-helper.patch
Patch2002: 2002-cri-use-default-SELinux-labels-as-a-fallback.patch

# Local patch for CRI to override the default RLIMIT_NOFILE.
# TODO: submit this upstream, including a unit test.
Patch3001: 3001-cri-set-default-RLIMIT_NOFILE.patch

BuildRequires: git
BuildRequires: %{_cross_os}glibc-devel
BuildRequires: %{_cross_os}libseccomp-devel
Expand Down