Need understand "ulimit"'s nofile setting in host and container Need understand "ulimit"'s nofile setting in host and container kubernetes kubernetes

Need understand "ulimit"'s nofile setting in host and container


linux docker ubuntu kubernetes debian

For example, If a Linux OS has ulimit nofile set to 1024 (soft) and Hard (4096) , and I run docker with ----ulimit nofile=10240:40960, could the container use more nofiles than its host?

  • Docker has the CAP_SYS_RESOURCE capability set on it's permissions.This means that Docker is able to set an ulimit different from the host. according to man 2 prlimit:

A privileged process (under Linux: one with the CAP_SYS_RESOURCE capability in the initial user namespace) may make arbitrary changes to either limit value.

  • So, for containers, the limits to be considered are the ones set by the docker daemon.You can check the docker daemon limits with this command:
$ cat /proc/$(ps -A | grep dockerd | awk '{print $1}')/limits | grep "files"Max open files            1048576              1048576              files

  • As you can see, the docker 19 has a pretty high limit of 1048576 so your 40960 will work like a charm.

  • And if you run a docker container with --ulimit set to be higher than the node but lower than the daemon itself, you won't find any problem, and won't need to give additional permissions like in the example bellow:

$ cat /proc/$(ps -A | grep dockerd | awk '{print $1}')/limits | grep "files"Max open files            1048576              1048576              files     $ docker run -d -it --rm --ulimit nofile=99999:99999 python python;354de39a75533c7c6e31a1773a85a76e393ba328bfb623069d57c38b42937d03$ cat /proc/$(ps -A | grep python | awk '{print $1}')/limits | grep "files"Max open files            99999                99999                files
  • You can set a new limit for dockerd on the file /etc/init.d/docker:
$ cat /etc/init.d/docker | grep ulimit                ulimit -n 1048576
  • As for the container itself having a ulimit higher than the docker daemon, it's a bit more tricky, but doable, refer here.
  • I saw you have tagged the Kubernetes tag, but didn't mention it in your question, but in order to make it work on Kubernetes, the container will need securityContext.priviledged: true, this way you can run the command ulimit as root inside the container, here an example:
image: image-name  command: ["sh", "-c", "ulimit -n 65536"]  securityContext:    privileged: true

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last