[SOLVED] Increase "nofile" in lxc containers

mije

New Member
Jan 21, 2018
2
0
1
42
Hi,

Running the latest version of proxmox (5.1-42), but struggling to increase the number of open files on my containers, they default with way way too low values:

(From inside the container)
ulimit -Hn && ulimit -Sn
4096
1024

The containers are running as unpriviled, already increased the limit on the proxmox host itself:
/etc/sysctl.conf ->
fs.file-max = 50000
/etc/security/limits.conf ->
* hard nofile 50000
* soft nofile 40000

Setting it higher in the container isn't working.

Read:
https://forum.proxmox.com/threads/real-ulimit-value-for-lxc-containers.29798/

wbumiller talks about a new config option:
"Resource limits are available with lxc-pve >= 2.0.8-2, the `lxc.limit.*` configuration keys are allowed in /etc/pve/lxc/*.conf with pve-container >= 2.0-7."

If i add:
limits.kernel.nofile=30000 to /etc/pve/lxc/101.conf

It still doesn't apply any higher limits on the container, really hitting a stumbling block / not finding any solutions by searching around.

Found some references to set LimitNOFILE on the systemd service file, but those services doesn't seem to have a systemd service in the latest version.

Does anyone know how to do it on the latest proxmox version?
 
The line should be:
Code:
lxc.prlimit.nofile: 30000
Note, however, that while this changes the upper limit for the container as a whole, its boot & login process will still do the usual setup. This means that the sysctl.conf and /etc/security/limits.conf changes must also happen within the container.
You can check whether the above limit was applied by checking the container's init process' limits. Either via `prlimit -p 1` from within the container, or on the host via `prlimit -p $(lxc-info -Hp -n VMID)`
 
The line should be:
Code:
lxc.prlimit.nofile: 30000
Note, however, that while this changes the upper limit for the container as a whole, its boot & login process will still do the usual setup. This means that the sysctl.conf and /etc/security/limits.conf changes must also happen within the container.
You can check whether the above limit was applied by checking the container's init process' limits. Either via `prlimit -p 1` from within the container, or on the host via `prlimit -p $(lxc-info -Hp -n VMID)`


Hi Wolfgang,

I have ~15 Container running and several problems with open file limits. I searched a lot for a proper solution. This thread was one of my findings.

I am not really sure, if I have the right understanding now, but I try to summarize (and hope for your feedback/review) regarding the following steps:

1) On pve host/node adjust/edit: /etc/security/limits.conf e.g.
Code:
*       soft    nofile  1048576 unset
*       hard    nofile  1048576 unset
root    soft    nofile  1048576 unset
root    hard    nofile  1048576 unset
*       soft    memlock 1048576 unset
*       hard    memlock 1048576 unset

2) On pve host/node adjust/edit: /etc/sysctl.conf e.g.
Code:
fs.inotify.max_queued_events = 1048576
fs.inotify.max_user_instances = 1048576
fs.inotify.max_user_watches = 1048576
vm.max_map_count = 262144

3) Edit container configuration <container_id>.conf file and add the lxc.prlimit.nofile e.g.:
Code:
lxc.prlimit.nofile: 30000
If I want to have this limit set to all containers, I could also insert this line/configuration to /etc/lxc/default.conf instead of every lxc conf file?<-- am I right with this "assumption"?

4) Inside the container(s) the changes from step 1 and 2 have also to be reflected. Which means, that the files /etc/security/limits.conf and /etc/sysctl.conf also needs to be editet within the container itself. <-- any best practice settings here?

It would be great, if you can give a short feedback, whether my understanding is correct or not.

Thank you in advance
Simon
 
Step 1 should not be necessary.
Step 4 only needs to include step 1. The sysctl values from step 2 aren't currently namespaced.

If I want to have this limit set to all containers, I could also insert this line/configuration to /etc/lxc/default.conf instead of every lxc conf file?<-- am I right with this "assumption"?
This file is used for containers without configurations, so this won't work.
Containers all by default include `/usr/share/lxc/config/common.conf.d/*.conf`, so you'd want to place a file there, call it `10-prlimits.conf` or something :)
 
  • Like
Reactions: flotho