Merge pull request #10778 from vespa-engine/hakonhall/set-pids-limit-to-400k

Set pids limit to 400k
author: Håkon Hallingstad <hakon.hallingstad@gmail.com> 2019-09-24 09:57:35 +0200
committer: GitHub <noreply@github.com> 2019-09-24 09:57:35 +0200
commit: 11ab4237312e3f52fac8f5f82553ee2598ac5eed (patch)
tree: 677f88d69522905daed76fddb34f5475ffaff0fc
parent: a975345f861f8560def95fa3e92364ecaa0bd225 (diff)
parent: cca609a44cad78f43aaeadf4cd297044ed8b38eb (diff)
2 files changed, 5 insertions, 0 deletions
diff --git a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImpl.java b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImpl.java
index 2e5cfab36cc..ed623c82259 100644
--- a/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImpl.java
+++ b/docker-api/src/main/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImpl.java
@@ -170,6 +170,9 @@ class CreateContainerCommandImpl implements Docker.CreateContainerCommand {
                 .withSecurityOpts(new ArrayList<>(securityOpts))
                 .withBinds(volumeBinds)
                 .withUlimits(ulimits)
+                // Docker version 1.13.1 patch 94 changed default pids.max for the Docker container's cgroup
+                // from max to 4096. -1L reinstates "max". File: /sys/fs/cgroup/pids/docker/CONTAINERID/pids.max.
+                .withPidsLimit(-1L)
                 .withCapAdd(addCapabilities.toArray(new Capability[0]))
                 .withCapDrop(dropCapabilities.toArray(new Capability[0]))
                 .withPrivileged(privileged);
@@ -240,6 +243,7 @@ class CreateContainerCommandImpl implements Docker.CreateContainerCommand {
                 toOptionalOption("--memory", containerResources.map(ContainerResources::memoryBytes)),
                 toRepeatedOption("--label", labelList),
                 toRepeatedOption("--ulimit", ulimitList),
+                "--pids-limit -1",
                 toRepeatedOption("--env", environmentAssignments),
                 toRepeatedOption("--volume", volumeBindSpecs),
                 toRepeatedOption("--cap-add", addCapabilitiesList),
diff --git a/docker-api/src/test/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImplTest.java b/docker-api/src/test/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImplTest.java
index 7d41d873be2..3b8b0a84e64 100644
--- a/docker-api/src/test/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImplTest.java
+++ b/docker-api/src/test/java/com/yahoo/vespa/hosted/dockerapi/CreateContainerCommandImplTest.java
@@ -49,6 +49,7 @@ public class CreateContainerCommandImplTest {
                 "--label my-label=test-label " +
                 "--ulimit nofile=1:2 " +
                 "--ulimit nproc=10:20 " +
+                "--pids-limit -1 " +
                 "--env env1=val1 " +
                 "--env env2=val2 " +
                 "--volume vol1:/host/vol1:Z " +
author	Håkon Hallingstad <hakon.hallingstad@gmail.com>	2019-09-24 09:57:35 +0200
committer	GitHub <noreply@github.com>	2019-09-24 09:57:35 +0200
commit	11ab4237312e3f52fac8f5f82553ee2598ac5eed (patch)
tree	677f88d69522905daed76fddb34f5475ffaff0fc
parent	a975345f861f8560def95fa3e92364ecaa0bd225 (diff)
parent	cca609a44cad78f43aaeadf4cd297044ed8b38eb (diff)