The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7759
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) ===
From 87c5f1975628764b7dd541543889d21a9de9b3e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Mon, 10 Aug 2020 10:39:18 -0400 Subject: [PATCH 1/2] doc/production-setup: Fix escaping MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- doc/production-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/production-setup.md b/doc/production-setup.md index f0e439fd68..88cd065541 100644 --- a/doc/production-setup.md +++ b/doc/production-setup.md @@ -45,7 +45,7 @@ vm.max\_map\_count | 262144 | 65530 | This file contain kernel.dmesg\_restrict | 1 | 0 | This denies container access to the messages in the kernel ring buffer. Please note that this also will deny access to non-root users on the host system. net.ipv4.neigh.default.gc\_thresh3 | 8192 | 1024 | This is the maximum number of entries in ARP table (IPv4). You should increase this if you create over 1024 containers. Otherwise, you will get the error `neighbour: ndisc_cache: neighbor table overflow!` when the ARP table gets full and those containers will not be able to get a network configuration. [2] net.ipv6.neigh.default.gc\_thresh3 | 8192 | 1024 | This is the maximum number of entries in ARP table (IPv6). You should increase this if you plan to create over 1024 containers. Otherwise, you will get the error `neighbour: ndisc_cache: neighbor table overflow!` when the ARP table gets full and those containers will not be able to get a network configuration. [2] -net.core.bpf_jit_limit | 3000000000 | 264241152 | This is a limit on the size of eBPF JIT allocations which is usually set to PAGE_SIZE * 40000. When your kernel is compiled with `CONFIG_BPF_JIT_ALWAYS_ON=y` then `/proc/sys/net/core/bpf_jit_enable` is set to `1` and can't be changed. On such kernels the eBPF JIT compiler will treat failure to JIT compile a bpf program such as a `seccomp` filter as fatal when it would continue on another kernel. On such kernels the limit for eBPF jitted programs needs to be increased siginficantly. +net.core.bpf\_jit\_limit | 3000000000 | 264241152 | This is a limit on the size of eBPF JIT allocations which is usually set to PAGE_SIZE * 40000. When your kernel is compiled with `CONFIG_BPF_JIT_ALWAYS_ON=y` then `/proc/sys/net/core/bpf_jit_enable` is set to `1` and can't be changed. On such kernels the eBPF JIT compiler will treat failure to JIT compile a bpf program such as a `seccomp` filter as fatal when it would continue on another kernel. On such kernels the limit for eBPF jitted programs needs to be increased siginficantly. kernel.keys.maxkeys | 2000 | 200 | This is the maximum number of keys a non-root user can use, should be higher than the number of containers kernel.keys.maxbytes | 2000000 | 20000 | This is the maximum size of the keyring non-root users can use fs.aio-max-nr | 524288 | 65536 | This is the maximum number of concurrent async I/O operations. You might need to increase it further if you have a lot of workloads that use the AIO subsystem (e.g. MySQL) From 4c1578fe2087c7ffaa06cc53edc2fcd0af481467 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Mon, 10 Aug 2020 10:43:55 -0400 Subject: [PATCH 2/2] doc/production-setup: Update introduction MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- doc/production-setup.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/doc/production-setup.md b/doc/production-setup.md index 88cd065541..da1aeb3b31 100644 --- a/doc/production-setup.md +++ b/doc/production-setup.md @@ -4,10 +4,11 @@ So you've made it past trying out [LXD live online](https://linuxcontainers.org/ or on a server scavenged from random parts. You like what you see, and now you want to try doing some serious work with LXD. -With the vanilla installation of Ubuntu Server 18.04, some modifications -to the server configuration will be needed, to avoid common pitfalls when -using containers that require tens of thousands of file operations. - +The vast majority of Linux distributions do not come with optimized +kernel settings suitable for the operation of a large number of +containers. The instructions in this document cover the most common +limits that you're likely to hit when running containers and suggested +updated values. ### Common errors that may be encountered
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
