al2023: Use base_runtime_spec to set default rlimits #1794
Conversation
cartermckinnon
force-pushed
the
al2023-rlimits
branch
3 times, most recently
from
12bf575
to
a3dafa3
Compare
cartermckinnon
force-pushed
the
al2023-rlimits
branch
2 times, most recently
from
89cef6f
to
57828c4
Compare
|
/ci |
|
@cartermckinnon roger that! I've dispatched a workflow. 👍 |
cartermckinnon
force-pushed
the
al2023-rlimits
branch
from
57828c4
to
85d98df
Compare
| "type": "RLIMIT_NOFILE", | ||
| "soft": 65536, | ||
| "hard": 1048576 |
There was a problem hiding this comment.
appreciate making this configurable, but do we have to set a default?
asking based on the time we updated limits in #1535 in al2, but I see the benefit of making this a breaking al2023 change to set the default and follow bottlerocket's example
There was a problem hiding this comment.
Yeah, we have to set a lower default in order to fix #1746. We don't want folks to have to pass baseRuntimeSpec to run stuff as common as Redis.
The issues caused by #1535 were mostly related to the 1024 effective soft limit (which is the "correct" config but is nevertheless incompatible with a lot of software written in the container age). That's why we use a much higher soft limit here, as well as a higher hard limit. I think this is fairly unlikely to be disruptive; and there's an easy mitigation if it does (setting baseRuntimeSpec).
|
@cartermckinnon the workflow that you requested has completed. 🎉
|
|
Argh, we have to pass a complete OCI spec instead of just |
|
Thanks for your work on this @cartermckinnon |
cartermckinnon
force-pushed
the
al2023-rlimits
branch
7 times, most recently
from
c694e6d
to
cfcccdf
Compare
|
/ci |
|
@cartermckinnon roger that! I've dispatched a workflow. 👍 |
|
@cartermckinnon the workflow that you requested has completed. 🎉
|
|
@cartermckinnon is this the same limits used in bottlerocket? |
|
@dims yep! |
|
Need to fix something up with the capabilities block in the latest rev
|
cartermckinnon
force-pushed
the
al2023-rlimits
branch
from
cfcccdf
to
ce99806
Compare
|
/ci |
|
@cartermckinnon roger that! I've dispatched a workflow. 👍 |
|
@cartermckinnon the workflow that you requested has completed. 🎉
|
cartermckinnon
force-pushed
the
al2023-rlimits
branch
from
ce99806
to
1da86f9
Compare
|
/ci |
|
@cartermckinnon roger that! I've dispatched a workflow. 👍 |
|
@cartermckinnon the workflow that you requested has completed. 🎉
|
|
Alright, there we go. Problem was |
cartermckinnon
force-pushed
the
al2023-rlimits
branch
4 times, most recently
from
e4f8dc6
to
35ddf3c
Compare
| @@ -0,0 +1,174 @@ | |||
| { | |||
There was a problem hiding this comment.
out of curiosity, how this been generated? Is there any reference I can read to understand more in case we need to debug sth for this?
There was a problem hiding this comment.
I derived this from a few sources:
- The default base OCI spec given by
ctr oci spec. - An actual spec for a running container grabbed with
ctr container info. - The base spec used by Bottlerocket for this same purpose (providing RLIMIT overrides): https://github.com/bottlerocket-os/bottlerocket/blob/b3e476f382dbaf6bb6bea20d99d3bf143662cef6/packages/containerd/containerd-cri-base-json#L4
The spec itself is thoroughly documented here: https://github.com/opencontainers/runtime-spec
cartermckinnon
force-pushed
the
al2023-rlimits
branch
from
35ddf3c
to
67712ce
Compare
|
when will an AMI containing this be released? |
|
There was a pre-release 3 hours ago https://github.com/awslabs/amazon-eks-ami/releases/tag/v20240605 that does not contain this PR. @ndbaker1 @Issacwww what needs to be done to get this changes in the next AMI release? |
|
This will be included in an AMI next week. |
|
Is there an update on when this will be released? We are waiting for this hotfix |
|
@cartermckinnon the week is almost over 😢 . We are actively blocked from completing our upgrade and this AMI will unblock us |
|
This is going out today in |
Issue #, if available:
Fixes #1746
Description of changes:
This uses the
base_runtime_specoption ofcontainerdto setRLMIT_NOFILEdefaults that are much lower than 2^63-1, the default on AL2023. This approach lets us define the limits for containers without changingcontainerd's own limits.I've gone with
65536:1048576with the understanding that programs usingselect(2)will need lower limits to be defined by the user to avoid undefined behavior. In practice, it's more common for our users to run programs that do not raise their limits appropriately--such as Envoy--so I think this is an acceptable default today. Bottlerocket is using the same values, so the consistency is beneficial: https://github.com/bottlerocket-os/bottlerocket/blob/fcf71a47c0ff005327ecde870d8a70877fc89196/sources/models/shared-defaults/oci-defaults-containerd-cri-resource-limits.tomlThese defaults can be overridden by a new
NodeConfigfield,Spec.Containerd.BaseRuntimeSpec. This field behaves the same asSpec.Kubelet.Config-- it's an unstructured JSON/YAML document that will be merged on top of the default, allowing partial overrides.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.