search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.05k stars 2.35k forks source link

Podman default ulimits overwrites build ulimits of docker-compose #23497

Closed dpkass closed 4 days ago

dpkass commented 1 month ago

Issue Description

On my Jenkins Server I am building a NextJS App. The default limit of 1024 doesn't suffice.

To counteract I specified the variable services.frontend.build.ulimits.nofile=65535 in my docker-compose.yml. The build still only had a limit of 1024.

The User hast a limit >1.000.000.

Steps to reproduce the issue

Steps to reproduce the issue

name: ****-docker

services:
  frontend:
    container_name: frontend
    build:
      ulimits:
        nofile: 65535
    image: artifactory.****.com/****/****
    ports:
      - "3000:80"

In my Jenkinsfile I installed docker-compose by hand:

node {
    env.DOCKER_HOST = "unix:///tmp/podman.sock"
    env.DOCKER_BUILDKIT = 0

    ...

    def COMPOSE_URL = 'https://github.com/docker/compose/releases/download/v2.29.1/docker-compose-Linux-x86_64'

    stage('Install Docker Compose') {
        sh """
            podman system service --time 0 ${env.DOCKER_HOST} &
            curl -L "${COMPOSE_URL}" -o /usr/local/bin/docker-compose
            chmod +x /usr/local/bin/docker-compose
        """
    }

    ...

    stage('Build Docker Image') {
        sh 'docker-compose build'
    }
}

The only workaround I found, is adding the following to the Jenkinsfile:

echo "[containers]
default_ulimits = [\\\"nofile=65535:65535\\\"]" > ~/.config/containers/containers.conf

Describe the results you received

Jenkins Build output:

+ docker-compose build
Sending build context to Docker daemon  528.2kB
...

[1/4] STEP 1/1: FROM node:22-alpine AS base
Resolving %!q(<nil>) to docker.io (enforced by caller)
Trying to pull docker.io/library/node:22-alpine...
...

[2/4] STEP 1/11: FROM d97ac86c16ad7883b0cc3c6f3de6ea0bb31d69288180515eb35e37882d7bc1ea AS deps
[2/4] STEP 2/11: RUN ulimit -n
1024
--> aef031fbf166
[2/4] STEP 3/11: RUN ulimit -Hn
1024

Describe the results you expected

The ulimit to be increased to 65535

podman info output

+ podman info
host:
  arch: amd64
  buildahVersion: 1.33.5
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - pids
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: Unknown
    path: /usr/local/bin/conmon
    version: 'conmon version 2.1.10, commit: 09bcded8e9c49cf1ff1fda403feac5a08f22535f-dirty'
  cpuUtilization:
    idlePercent: 94.79
    systemPercent: 1.31
    userPercent: 3.9
  cpus: 256
  databaseBackend: sqlite
  distribution:
    distribution: centos
    version: "7"
  eventLogger: file
  freeLocks: 2048
  hostname: 12838f4e2547
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 10000
      size: 65535
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 10000
      size: 65535
  kernel: 6.5.0-35-generic
  linkmode: static
  logDriver: k8s-file
  memFree: 396257013760
  memTotal: 811117228032
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
      path: /usr/local/lib/podman/aardvark-dns
      version: aardvark-dns 1.10.0
    package: Unknown
    path: /usr/local/lib/podman/netavark
    version: netavark 1.10.2
  ociRuntime:
    name: crun
    package: Unknown
    path: /usr/local/bin/crun
    version: |-
      crun version 1.14
      commit: 667e6ebd4e2442d39512e63215e79d693d0780aa
      rundir: /tmp/podman-run-1000/crun
      spec: 1.0.0
      +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: /usr/local/bin/pasta
    package: Unknown
    version: |
      pasta 2023_12_30.f091893-27-g322660b
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /tmp/podman-run-1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: ""
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/local/bin/slirp4netns
    package: Unknown
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 0
  swapTotal: 0
  uptime: 1344h 28m 50.00s (Approximately 56.00 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  docker.io:
    Blocked: false
    Insecure: false
    Location: artifactory.****.com:5000
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: docker.io
    PullFromMirror: ""
  search:
  - docker.io
store:
  configFile: /home/jenkins/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/jenkins/.local/share/containers/storage
  graphRootAllocated: 960194674688
  graphRootUsed: 15669858304
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /tmp/containers-user-1000/containers
  transientStore: false
  volumePath: /home/jenkins/.local/share/containers/storage/volumes
version:
  APIVersion: 4.9.2
  Built: 0
  BuiltTime: Thu Jan  1 01:00:00 1970
  GitCommit: ""
  GoVersion: go1.21.6
  Os: linux
  OsArch: linux/amd64
  Version: 4.9.2

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

No

Additional environment details

Additional environment details

Additional information

I am not allowed to change the podman version, so I haven't tried on 5.x yet. Using the same setup on the docker engine on my Mac worked just fine.

rhatdan commented 1 month ago

You are saying that docker-compose sees a like like:

services.frontend.build.ulimits.nofile=65535

And supposedly tells the DockerAPI to set this setting, and it works with Docker but fails with Podman correct?

dpkass commented 1 month ago

I‘m not sure what you mean exactly, but I believe so yes. Setting build ulimit is possible with normal docker-compose build, if a docker daemon is handling the request.

Check the last item on this link. https://docs.docker.com/compose/compose-file/build/#ulimits

The Docker Docs were a bit ambiguous as well in that regard. From the wording it is unclear if the final running container has the ulimit or the build container.

I simply validated by setting different values and running RUN ulimit -Ha while building the image, and it was always set to the build.ulimits value. With Podman on the other hand it didn’t work, and it used the default value 1024 for nofile for example.

Mit freundlichen Grüßen

Taha El Amine Kassabi

From: Daniel J Walsh @.> Sent: Monday, August 5, 2024 6:50:21 PM To: containers/podman @.> Cc: dpkass @.>; Author @.> Subject: Re: [containers/podman] Podman default ulimits overwrites build ulimits of docker-compose (Issue #23497)

You are saying that docker-compose sees a like like:

services.frontend.build.ulimits.nofile=65535

And supposedly tells the DockerAPI to set this setting, and it works with Docker but fails with Podman correct?

— Reply to this email directly, view it on GitHubhttps://github.com/containers/podman/issues/23497#issuecomment-2269498746, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AWAXVZRTAXZMJRKFLLL24SLZP6UM3AVCNFSM6AAAAABL57C2IGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRZGQ4TQNZUGY. You are receiving this because you authored the thread.Message ID: @.***>

rhatdan commented 1 month ago

Any chance you can update to podman 5.* I believe ulimit handling of podman build has been fixed in newer versions.

rhatdan commented 1 month ago

https://github.com/containers/buildah/pull/5275

dpkass commented 1 month ago

Ah seems right. Sorry, I don't know much about the podman eco-system, so I didn't know I should check buildah.

I probably won't be able to upgrade to podman 5, as it is running on the company's many Jenkins servers. I'll ask tho.

github-actions[bot] commented 1 week ago

A friendly reminder that this issue had no activity for 30 days.