Merge pull request #449 from Random-Liu/add-ulimit-in-systemd-units

Add LimitNPROC, LimitNOFILE and LimitCORE for containerd and cri-containerd.

contrib/systemd-units/containerd.service

@@ -11,6 +11,11 @@ RestartSec=5
 Delegate=yes
 KillMode=process
 OOMScoreAdjust=-999
+LimitNOFILE=1048576
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNPROC=infinity
+LimitCORE=infinity
 
 [Install]
 WantedBy=multi-user.target

contrib/systemd-units/cri-containerd.service

@@ -6,6 +6,11 @@ After=containerd.service
 [Service]
 Restart=always
 RestartSec=5
+LimitNOFILE=1048576
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNPROC=infinity
+LimitCORE=infinity
 ExecStart=/usr/local/bin/cri-containerd --logtostderr
 
 [Install]

test/e2e/master.yaml

@@ -51,6 +51,11 @@ write_files:
       RestartSec=5
       Delegate=yes
       KillMode=process
+      LimitNOFILE=1048576
+      # Having non-zero Limit*s causes performance problems due to accounting overhead
+      # in the kernel. We recommend using cgroups to do container-local accounting.
+      LimitNPROC=infinity
+      LimitCORE=infinity
       ExecStartPre=/sbin/modprobe overlay
       ExecStart=/home/cri-containerd/usr/local/bin/containerd --log-level debug
 
@@ -70,6 +75,11 @@ write_files:
       [Service]
       Restart=always
       RestartSec=5
+      LimitNOFILE=1048576
+      # Having non-zero Limit*s causes performance problems due to accounting overhead
+      # in the kernel. We recommend using cgroups to do container-local accounting.
+      LimitNPROC=infinity
+      LimitCORE=infinity
       # cri-containerd on master uses the cni binary and config in the
       # release tarball.
       ExecStart=/home/cri-containerd/usr/local/bin/cri-containerd \

test/e2e/node.yaml

@@ -54,6 +54,11 @@ write_files:
       RestartSec=5
       Delegate=yes
       KillMode=process
+      LimitNOFILE=1048576
+      # Having non-zero Limit*s causes performance problems due to accounting overhead
+      # in the kernel. We recommend using cgroups to do container-local accounting.
+      LimitNPROC=infinity
+      LimitCORE=infinity
       ExecStartPre=/sbin/modprobe overlay
       ExecStart=/home/cri-containerd/usr/local/bin/containerd --log-level debug
 
@@ -73,6 +78,11 @@ write_files:
       [Service]
       Restart=always
       RestartSec=5
+      LimitNOFILE=1048576
+      # Having non-zero Limit*s causes performance problems due to accounting overhead
+      # in the kernel. We recommend using cgroups to do container-local accounting.
+      LimitNPROC=infinity
+      LimitCORE=infinity
       # Point to /home/kubernetes/bin where calico setup cni binary in kube-up.sh.
       # Point to /etc/cni/net.d where calico put cni config in kube-up.sh.
       ExecStart=/home/cri-containerd/usr/local/bin/cri-containerd \

test/e2e_node/init.yaml

@@ -49,6 +49,11 @@ write_files:
       RestartSec=5
       Delegate=yes
       KillMode=process
+      LimitNOFILE=1048576
+      # Having non-zero Limit*s causes performance problems due to accounting overhead
+      # in the kernel. We recommend using cgroups to do container-local accounting.
+      LimitNPROC=infinity
+      LimitCORE=infinity
       ExecStartPre=/sbin/modprobe overlay
       ExecStart=/home/cri-containerd/usr/local/bin/containerd --log-level debug
 
@@ -68,6 +73,11 @@ write_files:
       [Service]
       Restart=always
       RestartSec=5
+      LimitNOFILE=1048576
+      # Having non-zero Limit*s causes performance problems due to accounting overhead
+      # in the kernel. We recommend using cgroups to do container-local accounting.
+      LimitNPROC=infinity
+      LimitCORE=infinity
       ExecStart=/home/cri-containerd/usr/local/bin/cri-containerd \
         --logtostderr --v=4 \
         --network-bin-dir=/home/cri-containerd/opt/cni/bin \