Bug 1715254

+1

the default ulimit value (1073741816 on my Fedora 30) makes yum unusable from centos:7 but also other programs like the Erlang based (i.e. rabbitmq-server) have problems because of the high ulimit -n value

FEDORA-2019-572b06a0f7 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-572b06a0f7

moby-engine-18.09.7-4.ce.git2d0083d.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-572b06a0f7

Bug 1723106 is related to this bug.

Thanks for the consideration,

The issue still persists on F30 with these changes when installing a package with yum inside a centos:7 container, e.g. :

root@container$ yum install -y gcc

One CPU core hangs at 100% usage and the process never completes.
(as reported by Daniele https://bugzilla.redhat.com/show_bug.cgi?id=1715254#c1 )

Does anybody know the reason for the high limits? Is this a mistake? Podman also increases the limits compared to outside of the container, but far not that much.

To the maintainer: the priority of this issue should be quite high as it is currently very hard to run a Produktion grade docker infrastructure on fedora.

Here's the systemd config for the docker.service from docker-ce on fedora 30 [1]

```
cat /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always

# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3

# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s

# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity

# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity

# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes

# kill only the docker process, not all processes in the cgroup
KillMode=process

[Install]
WantedBy=multi-user.target
```

As you can see, the ExecStart is quite simple :
`ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock`
I tried the above line instead of the one provided by `moby-engine`, but docker refuses to start when running `$ sudo systemctl start docker`.

Then, I reverted the `ExecStart` line to the original ones provided by `moby-engine`, and I tried with the OPTIONS of this commit [2] :

```
OPTIONS="--selinux-enabled \
  --log-driver=journald \
  --live-restore \
  --default-ulimit nofile=1024:1024 \
  --init-path /usr/libexec/docker/docker-init \
  --userland-proxy-path /usr/libexec/docker/docker-proxy \
"
```
(except for the `live-restore` option which was preventing me to run docker swarm mode);

and it was working :)

I was able to run a `yum install` inside a container :

```
me@host$ docker pull centos:7.6.1810
me@host$ docker run --rm -it centos:7.6.1810 yum install -y gcc
# ...
me@host$ echo $?
O
```

So far I was missing the `--init-path` and `--userland-proxy-path` options. I think these two have solved the issue.


Thank you for the fix :D
--------------------

[1] https://github.com/docker/for-linux/issues/600#issuecomment-515918169
[2] https://src.fedoraproject.org/rpms/moby-engine/c/b73040075e618f039def4adb0476adaba24b68bd

Actually, I had an other issue with the `--userland-proxy-path` option. I wasn't able to start a container having a port binding on my host:

```
starting container failed: container 66453e7d9a481dbd6a0d6c75717e86bc2c71bcc770d14139adc89716d6094808: endpoint join on GW Network failed: driver failed programming external connectivity on endpoint gateway_88e5e7ca7cb5 (bb3095e9cbd0dd23623878ea1b235a3672d3f9501cb6115d46d0a7746807976b): fork/exec /usr/libexec/docker/docker-proxy: no such file or directory
```

from the following config of the docker service :

```
services:
  varnish:
    ports:
      - published: 8080
        target: 80
        protocol: tcp
        mode: host
```
the 8080 port biding on the host could not be created.

There was nothing on my machine on that port yet ( `sudo lsof -i:8080` returned nothing)

Removing the `--userland-proxy-path` option fixed this issue (and I'm still able to install yum packages on the CentOS base container).

moby-engine-18.09.7-4.ce.git2d0083d.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.