需要了解主机和容器中的“ ulimit”的nofile设置 [英] Need understand "ulimit"'s nofile setting in host and container
问题描述
据我所知,如果需要在Linux系统中调整打开文件 nofile (软硬),我们需要运行命令 ulimit 或在相关的配置文件中进行设置以永久获取设置。但是对于在主机上运行的容器的设置,我有点困惑
As I know if we need adjust "open files" nofile (soft and hard) in linux system, we need run command ulimit or set in related configuraiton file to get the setting permanently. But I am little bit confused about the setting for containers running in a host
例如,如果Linux操作系统具有 ulimit nofile设置为1024(软)和Hard(4096),我用-ulimit nofile = 10240:40960 运行docker,容器可以使用比其更多的nofile吗?
For example, If a Linux OS has ulimit nofile set to 1024 (soft) and Hard (4096) , and I run docker with --ulimit nofile=10240:40960, could the container use more nofiles than its host?
在我的环境中,当前正在运行dockers的设置,
In my environment, current setting with dockers running,
- 在主机上(Debian)-65535(软)65535(硬)
- Docker守护程序设置最大值-1048576(软)1048576 (硬)
- 默认docker run-1024(软)4096(硬)
- 自定义docker run-10240(软)40960(硬)
- On host (Debian)- 65535 (soft) 65535 (hard)
- Docker Daemon setting Max - 1048576 (soft) 1048576 (hard)
- default docker run - 1024 (soft) 4096 (hard)
- customized docker run - 10240 (soft) 40960 (hard)
我发现该应用程序可以运行约10万个打开的文件,然后崩溃。
I found the application can run with about 100K open files, then crash. How to understand this?
真正的限制是什么?
推荐答案
例如,如果Linux操作系统将
ulimitnofile设置为1024(软)和Hard(4096),则我使用<$ c运行docker $ c> ---- ulimit nofile = 10240:40960 ,容器可以使用比其主机更多的nofile吗?
For example, If a Linux OS has
ulimitnofile set to 1024 (soft) and Hard (4096) , and I run docker with----ulimit nofile=10240:40960, could the container use more nofiles than its host?
- Docker在权限上设置了
CAP_SYS_RESOURCE功能。
这意味着Docker可以设置与主机不同的ulimit。根据man 2 prlimit: - Docker has the
CAP_SYS_RESOURCEcapability set on it's permissions. This means that Docker is able to set anulimitdifferent from the host. according toman 2 prlimit: - 因此,对于容器,要考虑的限制是docker守护程序设置的限制。
您可以使用以下命令检查docker守护程序限制:
A特权进程(在Linux下:在初始用户名称空间中具有CAP_SYS_RESOURCE功能的进程)可以对两个限制值进行任意更改。
A privileged process (under Linux: one with the CAP_SYS_RESOURCE capability in the initial user namespace) may make arbitrary changes to either limit value.
$ cat /proc/$(ps -A | grep dockerd | awk '{print $1}')/limits | grep "files"
Max open files 1048576 1048576 files
-
如您所见,泊坞窗19具有
1048576的相当高的限制,因此您的40960 将像护身符一样工作。As you can see, the docker 19 has a pretty high limit of
1048576so your 40960 will work like a charm.如果您运行的docker容器的
-ulimit设置为高于节点但低于节点守护程序本身,您不会发现任何问题,也不需要像下面的示例中那样授予其他权限:And if you run a docker container with
--ulimitset to be higher than the node but lower than the daemon itself, you won't find any problem, and won't need to give additional permissions like in the example bellow:$ cat /proc/$(ps -A | grep dockerd | awk '{print $1}')/limits | grep "files" Max open files 1048576 1048576 files $ docker run -d -it --rm --ulimit nofile=99999:99999 python python; 354de39a75533c7c6e31a1773a85a76e393ba328bfb623069d57c38b42937d03 $ cat /proc/$(ps -A | grep python | awk '{print $1}')/limits | grep "files" Max open files 99999 99999 files
- 您可以在文件
/etc/init.d/docker中设置dockerd的新限制: - You can set a new limit for dockerd on the file
/etc/init.d/docker:
$ cat /etc/init.d/docker | grep ulimit ulimit -n 1048576
- 至于容器本身具有比docker守护程序高的
ulimit,这比较棘手,但可行,请参考这里。 - 我看到您已经标记了Kubernetes标记,但在您的问题中未提及,但是为了使其能够在Kubernetes上运行,容器将需要
securityContext.priviledged:true,这样您就可以运行命令ulimit作为容器内部的根,这里是一个示例: - As for the container itself having a
ulimithigher than the docker daemon, it's a bit more tricky, but doable, refer here. - I saw you have tagged the Kubernetes tag, but didn't mention it in your question, but in order to make it work on Kubernetes, the container will need
securityContext.priviledged: true, this way you can run the commandulimitas root inside the container, here an example:
image: image-name command: ["sh", "-c", "ulimit -n 65536"] securityContext: privileged: true这篇关于需要了解主机和容器中的“ ulimit”的nofile设置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
- 您可以在文件
