[docker] dual-publish setcap; default raise limits #1745
Conversation
| @@ -1,15 +1,24 @@ | |||
| { | |||
There was a problem hiding this comment.
Could we also add m3aggregator to this btw? Noticed we don't have an image (can do this in followup I suppose though).
| "m3dbnode-setcap": { | ||
| "name": "m3dbnode", | ||
| "dockerfile": "docker/m3dbnode/Dockerfile", | ||
| "tag_suffix": "setcap" |
There was a problem hiding this comment.
Will it add a "-" automatically? i.e. 0.10.2-setcap or will it be 0.10.2setcap ?
There was a problem hiding this comment.
Yeah, in the builder script we have
TAG="${TAG}-${TAG_SUFFIX}"
docker/images.json
Outdated
| "dockerfile": "docker/m3dbnode/Dockerfile" | ||
| }, | ||
| "m3dbnode-setcap": { | ||
| "name": "m3dbnode", | ||
| "dockerfile": "docker/m3dbnode/Dockerfile", |
There was a problem hiding this comment.
Hm don't we need a new dockerfile that actually calls setcap?
|
|
||
| # Use setcap to set +e "effective" and +p "permitted" to adjust the SYS_RESOURCE | ||
| # so the process can raise the hard file limit with setrlimit. | ||
| RUN apk add --no-cache curl jq libcap && \ |
There was a problem hiding this comment.
Do we need curl and jq? I'm fine to leave it out and add on login (i.e. just apk add when you start a shell session), or if you feel we should (which I'm fine with too), should we putting it in the other base image too?
There was a problem hiding this comment.
We only need it for M3DB for the m3dbnode_bootstrapped.sh script. When we deprecate that though we can just remove this entirely
schallert
force-pushed
the
schallert/raise_caps
branch
from
4c507d0 to
09c732a
Compare
schallert
force-pushed
the
schallert/raise_caps
branch
2 times, most recently
from
418624a to
7f83557
Compare
| ==================== | ||
|
|
||
| This document lists the Kernel tweaks M3DB needs to run well. If you are running on Kubernetes, you may use our | ||
| `sysctl-setter` [DaemonSet](https://github.com/m3db/m3/blob/master/kube/sysctl-daemonset.yaml) that will set these | ||
| values for you. Please read the comment in that manifest to understand the implications of applying it. | ||
|
|
||
| ## Running with Docker | ||
|
|
||
| If running M3DB under Docker it is recommended to give M3DB the `SYS_RESOURCE` capability so that it may raise its file |
There was a problem hiding this comment.
slight tweak:
When running M3DB inside Docker, it is recommended to add the
SYS_RESOURCEcapability to the container (using the--cap-addargument todocker run) so that it can raise its file limits:
| docker run --cap-add SYS_RESOURCE quay.io/m3/m3dbnode:latest | ||
| ``` | ||
|
|
||
| If you wish to run M3DB as a non-root user, you will need to use our `setcap` images: |
There was a problem hiding this comment.
nit: no first or second person pronouns
If M3DB is being run as a non-root user, M3's
setcapimages are required:
|
|
||
| ## Automatic Limit Raising | ||
|
|
||
| When M3DB first starts up it will attempt to raise its open file limit to the current value of `fs.nr_open`. This is a |
There was a problem hiding this comment.
minor nits:
During startup, M3DB will attempt to raise [...]
This is a benign operation; if it fails, M3DB will [...]
- Default to attempting to raise FD limits rather than opt in: raising the limits is benign if it fails. - Dual-publish Docker images with a setcap'd binary for users running as non-root that want to raise limits.
schallert
force-pushed
the
schallert/raise_caps
branch
from
7f83557 to
a88580e
Compare
Codecov Report
@@ Coverage Diff @@
## master #1745 +/- ##
========================================
+ Coverage 72.2% 72.2% +<.1%
========================================
Files 987 987
Lines 83822 83820 -2
========================================
+ Hits 60556 60560 +4
+ Misses 19237 19229 -8
- Partials 4029 4031 +2
Continue to review full report at Codecov.
|
TODO:
What this PR does / why we need it:
Fixes #1671
Special notes for your reviewer:
the limits is benign if it fails.
non-root that want to raise limits.
Does this PR introduce a user-facing and/or backwards incompatible change?:
Does this PR require updating code package or user-facing documentation?: