Hello,
I am wondering what the correct way to go about setting ulimits for snapped processes. Could someone expand on the suggested method for setting ulimit values for snapped processes?
Thanks!
Update:
I have found a path to setting the ulimit values in the systemd service file, this topic. Possibly this is the way it should be done then, or is there a way to configure/control this through snapcraft.yaml?
I don’t think we have a way for doing this properly yet, but we have on our long term roadmap a more generic mechanism for expressing resource limits for snaps, so this should be taken into consideration when we design that and work on it. Note that we don’t have much to share about that yet as it’s very early stages and won’t likely be completed any time soon unfortunately.
i think you should be able to use a command-chain: wrapper script from where you can call the ulimit command as an interim workaround though.
Hi Ogra,
I’ve tried the command-chain approach but I’m not sure if this is working.
First of all I needed an interface to set the ulimit from inside the snap, otherwise I get:
audit: type=1400 audit(1652798580.730:816): apparmor="DENIED" operation="capable" profile="snap.my-snap-name.ulimit" pid=4894 comm="enhance-ulimit." capability=24 capname="sys_resource"
I went with process-control because this had the capability and this seems to work. At least I don’t see any dmesg entries anymore, but this can only be a workaround for testing your suggestion. We do not want to give process-control to all snaps which need to change the ulimit .
I’ve created a simple script which increases the ulimit step by step and the actual command just prints the ulimit inside my app.
My app then looks like this:
apps:
ulimit:
daemon: simple
command-chain: [enhance-ulimit.sh]
command: print-ulimit.sh
plugs:
- process-control
The log afterwards shows the following:
$ sudo snap logs my-snap-name.ulimit
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: Ulimit before:
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: 1024
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: Setting ulimit to 4096
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: Ulimit after setting to 4096:
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: 4096
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: Setting ulimit to 8192
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: /snap/my-snap-name/x1/enhance-ulimit.sh: 12: ulimit: error setting limit (Operation not permitted)
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: Ulimit after setting to 8192:
2022-05-17T17:11:05Z my-snap-name.ulimit[6147]: 4096
2022-05-17T17:11:05Z systemd[1]: snap.my-snap-name.ulimit.service: Succeeded.
Setting it higher than 4096 does not work and the actual command from print-ulimit.sh is not executed at all.
Once I manually increase the systemd limit in /etc/systemd/system.conf, I can raise the maximum number to a higher value than 4096
$ grep DefaultLimitNOFILE /etc/systemd/system.conf
DefaultLimitNOFILE=524288
$ sudo snap logs my-snap-name.ulimit
[...]
2022-05-17T17:24:28Z my-snap-name.ulimit[729]: Ulimit after setting to 8192:
2022-05-17T17:24:28Z my-snap-name.ulimit[729]: 8192
So this is related to a systemd value which is set by default (by ubuntu core?) ?
Since print-ulimit.sh seems not to be executed at all, is there anything wrong on how I use the command-chain approach? What is the best approach for applications that need more than 4096 file handles? Fixing systemd config seems like a hack for me.
Thanks