Real ulimit value for lxc containers

[EuroDomenii]

1) Ssh into the container: ulimit -n 1024
2) Console encrypted vnc via proxmox web interface: ulimit -n 1024
2) From host / pct enter ContainerID : ulimit -n 65536

What is the real ulimit value for lxc containers? Is inhereted from the host?


If I want to increase the value, should I apply the following instructions from http://brentingitup.com/?q=node/22, or there is another way?

In an unprivileged container, even a process running as root is really mapped to an unprivileged user in the host OS, so the attempt to raise the hard limit is denied. To fix this limitation for Apache, set the hard limit for the user running the container as follows:

$ sudo vi /etc/security/limits.conf
lxcd soft nofile 1024
lxcd hard nofile 8192


Thank you!

 

[wbumiller]

The first two log into the container in the usual sense while `pct enter` takes a different approach: It bypasses the usual login mechanisms and instead simply enters the container's namespaces and apparmor confinement. This means the first two are also subject to your container's own `/etc/security/limits.conf` as well as everything else happening at login (PAM configuration from /etc/pam.d` and thereby applied limits like /etc/security/capability.conf) while the `pct enter` variant is not.

 

[EuroDomenii]

Thanks for reply. For an unprivileged container, how to I raise the limit ? Or is inhereted from host machine?

$ sudo vi /etc/security/limits.conf
lxcd soft nofile 1024
lxcd hard nofile 8192

doesn't work!

I have noticed also https://forum.proxmox.com/threads/ulimits-doesnt-work-in-kvm.29082/#post-146093.

 

[wbumiller]

On the one hand this is inherited from the process starting the container (pveproxy and pvedaemon). (Unfortunately this currently means `pct start $vmid` may run the container with limits different to the ones you get by starting them via the GUI.)
On the other hand LXC's default configuration allows you to raise the limit from the within most guest templates. (This works on privileged containers only, though.) Exceptions seem to be alpine and gentoo which drop the required CAP_SYS_RESOURCE capability and therefore cannot raise the limit at all.
Note that we don't use the lxcd user limit you're trying to set above at all.

Obviously there's room for improvement there.

(in the mean time you could modify pveproxy.service and pvedaemon.service and add LimitNOFILE=12345 to the [Service] section, or use prlimit on the host to change the running pvedaemon/pveproxy processes, or use `pct start $ctid` to start the containers and let them inherit a higher limit.)

 

[EuroDomenii]

Great explanations! If the container has onboot=1, inherits a higher limit at host startup, or do I have to stop and restart via pct?

 

[Patrick Zippenfenig]

Hi,

I'm also trying to raise ulimits in LXC. Unfortunately ulimits are not passed from pvedaemon/pveproxy to containers.

pvedaemon and pveproxy raised to 256k open files. As well as nofile in /etc/security/limits.conf

# cat /etc/systemd/system/pvedaemon.service.d/nofiles.conf
[Service]
LimitNOFILE=262144

All limits are properly set on host for all running processes and new ssh sessions:

# prlimit -n -p `pidof pveproxy`
NOFILE   max number of open files 262144 26214

Unprivileged LXC container are still stuck at 4096 open files after reboot/web-restart. And even after pct stop/start.
lxc-start however works. Setting limits via prlimit from host also works, thats not a viable solution

Any ideas?

Btw: The up-comming version of lxc will support ulimits via lxc config: limits.kernel.nofile


Patrick

 

[wbumiller]

Resource limits are available with lxc-pve >= 2.0.8-2, the `lxc.limit.*` `lxc.prlimit.*` configuration keys are allowed in /etc/pve/lxc/*.conf with pve-container >= 2.0-7.

 

[Patrick Zippenfenig]

Thanks Wolfgang! I was not aware it is already in Proxmox 5.0. A wiki update would be much appreciated: https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

I'm still on Proxmox 4. As a workaround I'm using lxc.hook.pre-start and prlimit on parent-parent-pid (=> lxc-start):

/sbin/increase_parent_ulimit.sh

#!/bin/sh
prlimit -p `ps -o ppid= $PPID` -n262144#

/etc/pve/lxc/155.conf

arch: amd64
cores: 2
[...]
lxc.hook.pre-start: /sbin/increase_parent_ulimit.sh

Previous modifications to systemd services or pam limits are not required. Systemd inside the container limits open files to 64k.

 

[tom]

Thanks Wolfgang! I was not aware it is already in Proxmox 5.0. A wiki update would be much appreciated: https://pve.proxmox.com/wiki/Unprivileged_LXC_containers
..

This wiki page is user contributed and outdated, here is the link to the reference doc:

https://pve.proxmox.com/wiki/Linux_Container

and yes, we will mark/remove the old page.

 

[flotho]

Resource limits are available with lxc-pve >= 2.0.8-2, the `lxc.limit.*` configuration keys are allowed in /etc/pve/lxc/*.conf with pve-container >= 2.0-7.

Hi, I tried to add : `limits.kernel.nofile = 20000` in my ct_id.conf but the option seems to not be parsable. Any advice?

 

[Patrick Zippenfenig]

I guess it should be:

lxc.prlimit.nofile: 65536

I have not tried it yet

Edit: Corrected config setting. New ulimit can be checked with

root@ct ~ # ulimit -Hn

 

[flotho]

I guess it should be:

lxc.limits.kernel.nofile = 20000

I have not tried it yet

Sadly no, I have this issue :

`unable to parse config: lxc.limits.kernel.nofile = 20000`

Additionnaly, the syntax is definitivelylike this : https://linuxcontainers.org/fr/lxc/manpages//man5/lxc.container.conf.5.html#lbAZ

`lxc.prlimit.nofile = 20000`

This one worked for me