dattatrayakumbhar commented 7 years ago

Description I was refering to document related to nproc ulimit. https://docs.docker.com/engine/reference/commandline/run/

When created 4th container with ulimit nproc=3 for specific user , it gets created. docker run -d -u daemon --ulimit nproc=3 busybox top

Steps to reproduce the issue:

Create 4 containers with below command docker run -d -u daemon --ulimit nproc=3 busybox top

Describe the results you received: sh-4.2# docker run -d -u daemon --ulimit nproc=3 busybox top c272f84204c6a706e89dc2969c37cc1b15b0a34f08b0647786b2dc6912744734 sh-4.2# docker run -d -u daemon --ulimit nproc=3 busybox top 994c174d5eeedc49621c4ed29b66bd7d12dc9e2c3f68cd050ececfd0bddafe2e sh-4.2# docker run -d -u daemon --ulimit nproc=3 busybox top ^[[Ac2829ec24116fa55769c4d86b5469147ff04cda4096b032932c733409dce7a2f sh-4.2# docker run -d -u daemon --ulimit nproc=3 busybox top cdeb9a71f407702966e7ecc9ec6d023c01a131fcf00776332f36550361c21255 sh-4.2#

Describe the results you expected: Describe the results you received: sh-4.2# docker run -d -u daemon --ulimit nproc=3 busybox top c272f84204c6a706e89dc2969c37cc1b15b0a34f08b0647786b2dc6912744734 sh-4.2# docker run -d -u daemon --ulimit nproc=3 busybox top 994c174d5eeedc49621c4ed29b66bd7d12dc9e2c3f68cd050ececfd0bddafe2e sh-4.2# docker run -d -u daemon --ulimit nproc=3 busybox top ^[[Ac2829ec24116fa55769c4d86b5469147ff04cda4096b032932c733409dce7a2f sh-4.2# docker run -d -u daemon --ulimit nproc=3 busybox top [8] System error: resource temporarily unavailable

4th container should get failed with "[8] System error: resource temporarily unavailable"

Output of docker version: sh-4.2# docker version Client: Version: 1.13.0 API version: 1.25 Go version: go1.7.3 Git commit: 49bf474 Built: Tue Jan 17 09:55:28 2017 OS/Arch: linux/amd64

Server: Version: 1.13.0 API version: 1.25 (minimum version 1.12) Go version: go1.7.3 Git commit: 49bf474 Built: Tue Jan 17 09:55:28 2017 OS/Arch: linux/amd64 Experimental: false

Output of docker info: sh-4.2# docker info Containers: 4 Running: 4 Paused: 0 Stopped: 0 Images: 6 Server Version: 1.13.0 Storage Driver: devicemapper Pool Name: docker-253:1-1492245-pool Pool Blocksize: 65.54 kB Base Device Size: 10.74 GB Backing Filesystem: xfs Data file: /dev/loop0 Metadata file: /dev/loop1 Data Space Used: 56.88 GB Data Space Total: 107.4 GB Data Space Available: 28.74 GB Metadata Space Used: 135.8 MB Metadata Space Total: 2.147 GB Metadata Space Available: 2.012 GB Thin Pool Minimum Free Space: 10.74 GB Udev Sync Supported: true Deferred Removal Enabled: false Deferred Deletion Enabled: false Deferred Deleted Device Count: 0 Data loop file: /var/lib/docker/devicemapper/devicemapper/data WARNING: Usage of loopback devices is strongly discouraged for production use. Use --storage-opt dm.thinpooldev to specify a custom block storage device. Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata Library Version: 1.02.107-RHEL7 (2016-06-09) Logging Driver: syslog Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host macvlan null overlay Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: 03e5862ec0d8d3b3f750e19fca3ee367e13c090e runc version: 2f7393a47307a16f8cee44a37b262e8b81021e3e init version: 949e6fa Security Options: seccomp Profile: default Kernel Version: 3.10.0-327.22.2.el7.x86_64 Operating System: CentOS Linux 7 (Core) OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 7.797 GiB Name: gsljumphost.cisco.com ID: LIZX:TKX5:IBZC:B3SF:BVLE:JGQ5:2GAG:OHSF:PM5H:ASYI:DISB:ZOM2 Docker Root Dir: /var/lib/docker Debug Mode (client): false Debug Mode (server): false Registry: https://index.docker.io/v1/ WARNING: bridge-nf-call-iptables is disabled WARNING: bridge-nf-call-ip6tables is disabled Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false

thaJeztah commented 7 years ago

Limiting nproc requires kernel 4.3 or higher (see the pull request that implemented this; https://github.com/docker/docker/pull/18697).

It looks like we discussed adding a warning to the docs, and to the output of docker info https://github.com/docker/docker/pull/18697#issuecomment-191439125, but this wasn't followed up on.

Would you be interested in opening a pull request for the documentation (and possibly to add a warning to docker info?

dattatrayakumbhar commented 7 years ago

dibs. Sure, I will open a pr for this.

thaJeztah commented 7 years ago

Perfect, thank you so much!

tangle329 commented 6 years ago

@thaJeztah Our kernel version is 4.4, but we meet the same issue. Here is the details:

[root@xxx] /home/ansible$ docker version
Client:
 Version:      17.03.2-ce
 API version:  1.27
 Go version:   go1.7.5
 Git commit:   f5ec1e2
 Built:        Tue Jun 27 02:21:36 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.03.2-ce
 API version:  1.27 (minimum version 1.12)
 Go version:   go1.7.5
 Git commit:   f5ec1e2
 Built:        Tue Jun 27 02:21:36 2017
 OS/Arch:      linux/amd64
 Experimental: false
[root@xxx] /home/ansible$ docker info
Containers: 30
 Running: 27
 Paused: 0
 Stopped: 3
Images: 203
Server Version: 17.03.2-ce
Storage Driver: overlay2
 Backing Filesystem: xfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 4ab9917febca54791c5f071a9d1f404867857fcc
runc version: 54296cf40ad8143b62dbcaa1d90e520a2136ddfe
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.4.131-1.el7.elrepo.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 31.42 GiB
Name: xxx
ID: Q6AD:OA2Y:IRMC:BCPE:KVH7:AJ2F:YXDY:WOHX:U2BE:YEQN:MAYR:B4Y5
Docker Root Dir: /data0/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 xxx
 127.0.0.0/8
Live Restore Enabled: true

[root@xxx] /home/ansible$ uname -r
4.4.131-1.el7.elrepo.x86_64
[root@xxx] /home/ansible$ docker run -d --ulimit nproc=3  dnsperf:v1.0 bash
f2d49684853c2d4482062d6ac953370e4fae36487623215725b62187a1eae257
[root@xxx] /home/ansible$ docker run -d --ulimit nproc=3  dnsperf:v1.0 bash
5113f0b6ecab3c68b879af21cd4b917d32f9c8ae77b4664cc5ef363ea3ebbc75
[root@xxx] /home/ansible$ docker run -d --ulimit nproc=3  dnsperf:v1.0 bash
3cd95823774f206f8a907b8e864cb808bbffe888ed62ed63b9ca39a56cee3860
[root@xxx] /home/ansible$ docker run -d --ulimit nproc=3  dnsperf:v1.0 bash
cdab54aef6fb3854918c25530f5a5b725545f63ee442202ed1a3484ab4ded02d
[root@xxx] /home/ansible$ docker run -d --ulimit nproc=3  dnsperf:v1.0 bash
0e84c23aeceec4427802ea97a07e710b77671c3f55eaba29a136bf0da6bcc377
[root@xxx] /home/ansible$

cpuguy83 commented 6 years ago

nproc does not have a specific kernel requirement (beyond just minimum supported kernel for Docker) as it is just a ulimit as opposed to the PIDs cgroup (which is a far better option, btw). What does ulimit -a say in the container?

tangle329 commented 6 years ago

@cpuguy83

daemon@ceedfc252c60:/$ ulimit -a
core file size          (blocks, -c) unlimited
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 257633
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 65536
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 3
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited
daemon@ceedfc252c60:/$

moby / moby

docker create does not work for ulimit of nproc usage #31358

dibs. Sure, I will open a pr for this.