Hi Ogra,
I’ve tried the command-chain approach but I’m not sure if this is working.
First of all I needed an interface to set the ulimit from inside the snap, otherwise I get:
audit: type=1400 audit(1652798580.730:816): apparmor="DENIED" operation="capable" profile="snap.my-snap-name.ulimit" pid=4894 comm="enhance-ulimit." capability=24 capname="sys_resource"
I went with process-control because this had the capability and this seems to work. At least I don’t see any dmesg entries anymore, but this can only be a workaround for testing your suggestion. We do not want to give process-control to all snaps which need to change the ulimit .
I’ve created a simple script which increases the ulimit step by step and the actual command just prints the ulimit inside my app.
My app then looks like this:
apps:
ulimit:
daemon: simple
command-chain: [enhance-ulimit.sh]
command: print-ulimit.sh
plugs:
- process-control
The log afterwards shows the following:
$ sudo snap logs my-snap-name.ulimit
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: Ulimit before:
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: 1024
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: Setting ulimit to 4096
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: Ulimit after setting to 4096:
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: 4096
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: Setting ulimit to 8192
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: /snap/my-snap-name/x1/enhance-ulimit.sh: 12: ulimit: error setting limit (Operation not permitted)
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: Ulimit after setting to 8192:
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: 4096
2022-05-17T17:11:05Z systemd[1]: snap.my-snap-name.ulimit.service: Succeeded.
Setting it higher than 4096 does not work and the actual command from print-ulimit.sh is not executed at all.
Once I manually increase the systemd limit in /etc/systemd/system.conf, I can raise the maximum number to a higher value than 4096
$ grep DefaultLimitNOFILE /etc/systemd/system.conf
DefaultLimitNOFILE=524288
$ sudo snap logs my-snap-name.ulimit
[...]
2022-05-17T17:24:28Z my-snap-name.ulimit[729]: Ulimit after setting to 8192:
2022-05-17T17:24:28Z my-snap-name.ulimit[729]: 8192
So this is related to a systemd value which is set by default (by ubuntu core?) ?
Since print-ulimit.sh seems not to be executed at all, is there anything wrong on how I use the command-chain approach?
What is the best approach for applications that need more than 4096 file handles? Fixing systemd config seems like a hack for me.
Thanks