[dbode] Call syscall.Setrlimit to set num files open hard limit with setcap for DB docker image

[robskillington]

What this PR does / why we need it:

This raises the rlimit to whatever nr_open is set to and also sets correct permissions for the docker image to set rlimit.

Special notes for your reviewer:

Does this PR introduce a user-facing and/or backwards incompatible change?:

NONE

Does this PR require updating code package or user-facing documentation?:

NONE

[robskillington]

Thought: this maybe should be in a _linux.go file.

[schallert]

Should just be able to check /proc/sys: https://www.kernel.org/doc/Documentation/sysctl/fs.txt

In kube:

/ # hostname
m3db-cluster-rep0-0
/ # cat /proc/sys/fs/nr_open
3000000

[robskillington]

Ah cool, yup I'll change it to this instead.

[robskillington]

I actually didn't need IPC_LOCK thankfully.

[codecov]

Codecov Report

Merging #1666 into master will decrease coverage by 0.1%.
The diff coverage is 5.2%.

@@           Coverage Diff            @@
##           master   #1666     +/-   ##
========================================
- Coverage      72%   71.9%   -0.2%     
========================================
  Files         969     969             
  Lines       81358   81096    -262     
========================================
- Hits        58602   58312    -290     
- Misses      18913   18963     +50     
+ Partials     3843    3821     -22

Flag	Coverage Δ
#aggregator	82.4% <ø> (ø)	⬆️
#cluster	85.7% <ø> (ø)	⬆️
#collector	63.7% <ø> (ø)	⬆️
#dbnode	79.9% <20%> (-0.2%)	⬇️
#m3em	73.2% <ø> (ø)	⬆️
#m3ninx	74.1% <ø> (ø)	⬆️
#m3nsch	51.1% <ø> (ø)	⬆️
#metrics	17.6% <ø> (ø)	⬆️
#msg	74.7% <ø> (ø)	⬆️
#query	66.4% <ø> (-0.1%)	⬇️
#x	85.7% <0%> (-0.6%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0cca0d2...0fb6110. Read the comment docs.

[schallert]

Looks good so far, just doing some sanity checking with this and the operator PR before stamping

[richardartoul]

Feels kind of dirty but I understand the pragmatism. Do you think this is worth throwing behind an environment variable?

I'll leave it up to you, but I can imagine a "ATTEMPT_INCREASE_PROCESS_LIMITS" environment variable that you can set to true in the Dockerfile. The primary reason I say that is it seems fair to be doing this in the Dockerfiles we create, but I don't like the idea of the binary doing it indiscriminately regardless of where it is running.

[richardartoul]

Had not seen this before. Did some reading. Kind of bizarre that the capabilities get set on the file/binary level

[richardartoul]

What does the +ep do? Can you just add a comment to this line generally also

[robskillington]

Not opposed to adding a comment, the +e is "effective" and +p is for "permitted".

[richardartoul]

Maybe RaisePerformed

[robskillington]

Sure thing.

[richardartoul]

Maybe a comment here saying that this will be the curr value before the raise was performed (if it was performed)

[robskillington]

That's not true though, it will be the curr value (after the raise) or if no raise then it will be the curr value (unadjusted).

[richardartoul]

If we're gonna start doing this it might be nice to have a generic AttemptToSetProcessLimits which calls this function. That way we don't have to change server.go each time and we have an established pattern

[robskillington]

This is that kind of method however, it is meant to be abstract and returns enough information (without taking a logger itself). That way callers can either log it as a warning or a hard error, depending on their situation.

[robskillington]

Sure thing, I'll make it opt in and used only by the docker image.