Bug 1311750 - Set TasksMax in docker.service on releases with systemd >= 228
Set TasksMax in docker.service on releases with systemd >= 228
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: docker (Show other bugs)
25
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Antonio Murdaca
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-24 16:45 EST by Nalin Dahyabhai
Modified: 2016-09-02 19:27 EDT (History)
12 users (show)

See Also:
Fixed In Version: docker-1.12.1-8.gitf1040da.fc25
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-09-02 19:27:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nalin Dahyabhai 2016-02-24 16:45:55 EST
Description of problem:
On newer releases, we might want to set a TasksMax value in docker.service, so that the daemon doesn't get an EAGAIN when it's trying to start things.  TasksMax=infinity works for me, but I haven't worked through the implications.

Version-Release number of selected component (if applicable):
docker-1.10.2-5.git0f5ac89.fc24.x86_64 on kernel-4.5.0-0.rc2.git2.1.fc24.x86_64

How reproducible:
Always

Steps to Reproduce:
1. docker run -d --name porttest -p 3800-3900:3800-3900 busybox top

Actual results:
Docker returns a failure because it couldn't start that many docker-proxy processes.

Expected results:
Success!  Or rather, lack of an error.

Additional info:
This also causes DockerSuite.TestPsGroupPortRange in the docker integration test suite to fail.
Comment 1 Lokesh Mandvekar 2016-04-12 11:14:14 EDT
jerms, wdyt?
Comment 2 Daniel Walsh 2016-04-12 14:09:22 EDT
What is the default tasksmax?
Comment 3 Jeremy Eder 2016-04-12 15:19:48 EDT
This is messy, we just last week got the pids cgroup controller backported into RHEL (it's in 3.10.0-372) via https://bugzilla.redhat.com/show_bug.cgi?id=1265339).

But the whole point of that controller is to protect from a fork bomb inside a container, and if we set TasksMax=infinity we effectively disable the fork bomb detection that we were after in the first place.

So, unless I'm reading it wrong, no, I would not recommend touching TasksMax.  It also implicitly enables taskaccounting all the way up the cgroup structure.  This needs more thought and testing before we touch it.

As far as preventing the EAGAIN, I haven't seen an strace so I'm not sure where that's coming from -- is it from the kernel/iptables?

Anyway we're not using the docker-proxy anywhere in openshift or atomic, we use the kube-proxy, and soon we will likely be offering at least an option to use iptables.

Again, unless I'm not following -- I can't see how mapping 1000 ports in a userspace app like docker-proxy is a use-case we should be all too concerned with.  If you really need 1000 ports, what about --net=host ?
Comment 5 Jeremy Eder 2016-04-12 15:38:20 EDT
And now I see this is a Fedora request, so disregard the kernel version stuff.

wrt the fork bomb.

If you look at systemd-system.conf upstream there is:

src/core/system.conf:#DefaultTasksMax=512
src/login/logind.conf:#UserTasksMax=12288
units/systemd-nspawn@.service.in:TasksMax=8192

So, default is 512 and nspawn service gets 8k.  I guess that's more reasonable than infinity.
So you want to set TasksMax=8192 for docker.service ?
Comment 6 Daniel Walsh 2016-04-12 15:42:10 EDT
Since container processes end up in a different Cgroup they are not a problem.  We can set this to 8192, but you were concerned about this having a performance hit, correct?  If not performance hit then setting thit so nspawns, default is justifiable.
Comment 7 Jeremy Eder 2016-06-03 14:38:42 EDT
I am concerned about the accounting stuff because it's never been tested.

Unless someone magic's up some data asap, we're going to enable taskaccounting in openshift anyway:

My POV is here:  https://github.com/openshift/origin/pull/8989#issuecomment-221939970

As far as tasksmax...wasn't that part of the other BZ...

https://bugzilla.redhat.com/show_bug.cgi?id=1340519
Comment 8 Jeremy Eder 2016-06-03 14:39:18 EDT
actually its the cpu/mem accounting.  sigh, long week...
Comment 9 Jan Kurik 2016-07-26 00:03:57 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.
Comment 10 Daniel Walsh 2016-08-19 16:42:11 EDT
Lokesh/Antonio, I see TaskMasks=Infinity in Rawhide, but Jeremy recommended 8192

TasksMax=8192 

Could we change to that default.
Comment 11 Antonio Murdaca 2016-08-22 05:39:47 EDT
Changed to 8192 in both F25 and Rawhide
Comment 12 Fedora Update System 2016-08-22 08:14:07 EDT
docker-1.12.1-4.git8ea583f.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e7176b9785
Comment 13 Fedora Update System 2016-08-22 19:52:21 EDT
docker-1.12.1-4.git8ea583f.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e7176b9785
Comment 14 Fedora Update System 2016-08-23 09:12:11 EDT
docker-1.12.1-5.git8ea583f.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffeefb3138
Comment 15 Fedora Update System 2016-08-23 19:20:49 EDT
docker-1.12.1-5.git8ea583f.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffeefb3138
Comment 16 Fedora Update System 2016-08-24 07:00:06 EDT
docker-1.12.1-6.git49151a1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-626f41754c
Comment 17 Fedora Update System 2016-08-25 05:28:52 EDT
docker-1.12.1-6.git49151a1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-626f41754c
Comment 18 Fedora Update System 2016-08-25 06:28:43 EDT
docker-1.12.1-7.git49151a1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7e3f838986
Comment 19 Fedora Update System 2016-08-25 14:21:39 EDT
docker-1.12.1-7.git49151a1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7e3f838986
Comment 20 Fedora Update System 2016-08-29 05:22:52 EDT
docker-1.12.1-8.gitf1040da.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-caa6a905c5
Comment 21 Fedora Update System 2016-08-29 18:56:13 EDT
docker-1.12.1-8.gitf1040da.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-caa6a905c5
Comment 22 Fedora Update System 2016-09-02 19:27:20 EDT
docker-1.12.1-8.gitf1040da.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.