Skip to content

Comments

Docker fix LimitNOFILE limit#278531

Closed
Profpatsch wants to merge 1 commit intoNixOS:masterfrom
Profpatsch:docker-fix-nofile-limit
Closed

Docker fix LimitNOFILE limit#278531
Profpatsch wants to merge 1 commit intoNixOS:masterfrom
Profpatsch:docker-fix-nofile-limit

Conversation

@Profpatsch
Copy link
Member

@Profpatsch Profpatsch commented Jan 3, 2024

for the second time, somebody thought setting the NOFILE limit to infinity was a good idea, which breaks a whole lot of systems.

I can’t easily remove the option like the upstream change does, so for now it sets it to the high-but-bounded number as proposed in the original PR. We are gonna have to remove once the merged PR lands.

Description of changes

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Jan 3, 2024
@Profpatsch
Copy link
Member Author

Profpatsch commented Jan 3, 2024

This has to be backported to 23.11

@Profpatsch
docker: fix LimitNOFILE limit
9e93abb 
for the second time, somebody thought setting the NOFILE limit to
`infinity` was a good idea, which breaks a whole lot of systems.

I can’t easily remove the option like the upstream change does, so for
now it sets it to the high-but-bounded number as proposed in the
original PR. We are gonna have to remove once the merged PR lands.
@Profpatsch Profpatsch force-pushed the docker-fix-nofile-limit branch from d17640f to 9e93abb Compare January 3, 2024 17:45
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Jan 3, 2024
emilylange
emilylange requested changes Jan 13, 2024
View reviewed changes
nixos/modules/virtualisation/docker.nix
Comment on lines +197 to +201
# Fix from https://github.com/containerd/containerd/pull/4475
# (see also https://github.com/containerd/containerd/pull/7566 )
# Setting this to infinity breaks e.g. cupsd inside docker
# So we reset to the default value.
LimitNOFILE = 1048576;
Copy link
Member

@emilylange emilylange Jan 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LimitNOFILE=1048576 isn't the default in systemd.
LimitNOFILE=1024:524288 is. Which in turn translates to LimitNOFILE=524288 and LimitNOFILESoft=1024.

The fix containerd and moby/moby eventually settled on isn't to set it back to 1048576 (which it was before someone set it to infinity).
Instead, they both unset that line, resulting in systemd's default value (1024:524288).
And the fixed openrc and sysvinit service files in went with 524288 as well.

See https://github.com/moby/moby/pull/45534/files.

We could also just remove the offending line from the unit file in our docker_24 package instead of the nixos/docker module.
Especially given this will be resolved with docker_25, because moby/moby#45534 has been merged already and is even part of the current release candidates.

Speaking of docker_25, #278607 carries a patch to set LimitNOFILE=1048576 for nixos/docker as well.

I don't see why we would want to restore the previous LimitNOFILE=1048576 behavior.
The reasoning and history outlines in the opening comment moby/moby#45534 (comment) sounds... well... reasonable to me.

I would much rather prefer fixing this in our docker_24 package, instead of the module.

  • If we go with LimitNOFILE=1048576 in the module, we are stuck with non-default legacy behavior.
  • If we go with LimitNOFILE=1024:524288 in the module, we override the out-of-the-box value for docker_20_10.
  • If we remove the LimitNOFILE=infinity from ${docker_24}/etc/systemd/system/docker.service, we fix and solve the upstream bug and don't influence the value of docker_20_10 and the upcoming docker_25.

This was referenced Jan 13, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@emilylange emilylange emilylange requested changes

@offlinehacker offlinehacker Awaiting requested review from offlinehacker

@vdemeester vdemeester Awaiting requested review from vdemeester

@periklis periklis Awaiting requested review from periklis

@amaxine amaxine Awaiting requested review from amaxine

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Profpatsch @emilylange