change limits for unprivileged container

A

Alibek

Renowned Member
Jan 13, 2017
102
17
83
46
How do change (persistent) limits (open files) for unprivileged containers?
Code: 
root@container1:~# ulimit -n 65536
-bash: ulimit: open files: cannot modify limit: Operation not permitted
prlimit - not affected
changes in pvenode:/etc/security/limit.conf - not affected
 
This has yet to be added to lxc upstream (patches are already pending for this). For now the containers inherit their limits from the pvedaemon service (you could add a systemd unit snippet to bump the limit for all containers).
 
  • Like
Reactions: Alibek
I previously used pct start nnn to start my LXC containers to get higher ulimit values for my processes.

Since I have installed the latest updates, this does not work any more.

What is the 'new/correct' way to set the ulimit values now?

Can anyone please advise me on this as I am running into issues with this.

If it is still to add a systemd code snippet as Wolfgang suggests above, can someone point me in the right direction with this as I am not familiar with systemd.

Thanks
Shaun
 
After more checks I see that if I use pct start nnn and then pct enter nnn then ulimit -a shows

open files (-n) 65536

However if I then start my process, and then check ulimit it shows that I am restricted to 4096 open files so how do I determine the ulimit setting for my process?

What is the correct value?
 
Shaun said:
After more checks I see that if I use pct start nnn and then pct enter nnn then ulimit -a shows

open files (-n) 65536

However if I then start my process, and then check ulimit it shows that I am restricted to 4096 open files so how do I determine the ulimit setting for my process?

What is the correct value?
Click to expand...

how do you start this process? note that the login shell started with "pct enter" is kind of special, so maybe try connecting via SSH and checking the limits there.

linux also has "process limits" in addition to the user/group limits. you can query (and set) those with "prlimit".

you could also try influencing the limits imposed by systemd, by putting a snippet into "/etc/systemd/system/lxc@.service.d/", with some of the LimitXYZ Directives as described in "man systemd.exec" and "man systemd.unit" - but I haven't tested that.
 
Hi Fabian,

I am using MongoDB with a 14.04 LXC CT.

This comes with a start/stop script that it installed. I tried using this script. If the CT is a privileged CT, then all works as expected. With unprivileged,the process always fails to start using these scripts.

I even commented out the ulimit settings in the start script, but this does not help.

Currently the only way I can get the MongoDB process to run in an unprivileged CT is to do the following:

pct start xxx
pct enter xxx
sudo su - mongodb
mongod -f config.cfg

Doing this gives the mongod process a ulimit of 65536 which allows it to run.

I will check to see what happens if I login via SSH and also try the other suggestions you make.

Thanks
 
You must log in or register to reply here.
Top Bottom