Real ulimit value for lxc containers

EuroDomenii

Renowned Member
Sep 30, 2016
145
32
68
Slatina
www.domenii.eu
1) Ssh into the container: ulimit -n 1024
2) Console encrypted vnc via proxmox web interface: ulimit -n 1024
2) From host / pct enter ContainerID : ulimit -n 65536

What is the real ulimit value for lxc containers? Is inhereted from the host?


If I want to increase the value, should I apply the following instructions from http://brentingitup.com/?q=node/22, or there is another way?

In an unprivileged container, even a process running as root is really mapped to an unprivileged user in the host OS, so the attempt to raise the hard limit is denied. To fix this limitation for Apache, set the hard limit for the user running the container as follows:

$ sudo vi /etc/security/limits.conf
lxcd soft nofile 1024
lxcd hard nofile 8192



Thank you!
 
The first two log into the container in the usual sense while `pct enter` takes a different approach: It bypasses the usual login mechanisms and instead simply enters the container's namespaces and apparmor confinement. This means the first two are also subject to your container's own `/etc/security/limits.conf` as well as everything else happening at login (PAM configuration from /etc/pam.d` and thereby applied limits like /etc/security/capability.conf) while the `pct enter` variant is not.
 
On the one hand this is inherited from the process starting the container (pveproxy and pvedaemon). (Unfortunately this currently means `pct start $vmid` may run the container with limits different to the ones you get by starting them via the GUI.)
On the other hand LXC's default configuration allows you to raise the limit from the within most guest templates. (This works on privileged containers only, though.) Exceptions seem to be alpine and gentoo which drop the required CAP_SYS_RESOURCE capability and therefore cannot raise the limit at all.
Note that we don't use the lxcd user limit you're trying to set above at all.

Obviously there's room for improvement there.

(in the mean time you could modify pveproxy.service and pvedaemon.service and add LimitNOFILE=12345 to the [Service] section, or use prlimit on the host to change the running pvedaemon/pveproxy processes, or use `pct start $ctid` to start the containers and let them inherit a higher limit.)
 
Hi,

I'm also trying to raise ulimits in LXC. Unfortunately ulimits are not passed from pvedaemon/pveproxy to containers.

pvedaemon and pveproxy raised to 256k open files. As well as nofile in /etc/security/limits.conf
Code:
# cat /etc/systemd/system/pvedaemon.service.d/nofiles.conf
[Service]
LimitNOFILE=262144

All limits are properly set on host for all running processes and new ssh sessions:
Code:
# prlimit -n -p `pidof pveproxy`
NOFILE   max number of open files 262144 26214

Unprivileged LXC container are still stuck at 4096 open files after reboot/web-restart. And even after pct stop/start.
lxc-start however works. Setting limits via prlimit from host also works, thats not a viable solution

Any ideas?

Btw: The up-comming version of lxc will support ulimits via lxc config: limits.kernel.nofile


Patrick
 
Resource limits are available with lxc-pve >= 2.0.8-2, the `lxc.limit.*` `lxc.prlimit.*` configuration keys are allowed in /etc/pve/lxc/*.conf with pve-container >= 2.0-7.
 
Last edited:
Thanks Wolfgang! I was not aware it is already in Proxmox 5.0. A wiki update would be much appreciated: https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

I'm still on Proxmox 4. As a workaround I'm using lxc.hook.pre-start and prlimit on parent-parent-pid (=> lxc-start):

/sbin/increase_parent_ulimit.sh
Code:
#!/bin/sh
prlimit -p `ps -o ppid= $PPID` -n262144#
/etc/pve/lxc/155.conf
Code:
arch: amd64
cores: 2
[...]
lxc.hook.pre-start: /sbin/increase_parent_ulimit.sh
Previous modifications to systemd services or pam limits are not required. Systemd inside the container limits open files to 64k.
 
Resource limits are available with lxc-pve >= 2.0.8-2, the `lxc.limit.*` configuration keys are allowed in /etc/pve/lxc/*.conf with pve-container >= 2.0-7.

Hi, I tried to add : `limits.kernel.nofile = 20000` in my ct_id.conf but the option seems to not be parsable. Any advice?
 
I guess it should be:
Code:
lxc.prlimit.nofile: 65536
I have not tried it yet

Edit: Corrected config setting. New ulimit can be checked with
Code:
root@ct ~ # ulimit -Hn
 
Last edited:
  • Like
Reactions: flotho

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!