Max user processes in k8s container and on the host

5/29/2018

I am trying to sort out how how the max user processes setting works in k8s. One can run ulimit -aH within the pod and check the max user processes setting:

core file size          (blocks, -c) unlimited
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 7418
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1048576
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) unlimited
cpu time               (seconds, -t) unlimited
max user processes              (-u) unlimited
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

then if you run the same on the host in order to compare:

-t: cpu time (seconds)              unlimited
-f: file size (blocks)              unlimited
-d: data seg size (kbytes)          unlimited
-s: stack size (kbytes)             unlimited
-c: core file size (blocks)         unlimited
-m: resident set size (kbytes)      unlimited
-u: processes                       62799
-n: file descriptors                1048576
-l: locked-in-memory size (kbytes)  64
-v: address space (kbytes)          unlimited
-x: file locks                      unlimited
-i: pending signals                 62799
-q: bytes in POSIX msg queues       819200
-e: max nice                        0
-r: max rt priority                 0
-N 15:                              unlimited

I've seen on numerous occasions that host's max user processes setting is much lower than the pod's max processes setting. Nproc is not namespaced and is tied to the UID, but does this limit within the pod correlate somehow with the same limit on the host for the same user? what if I have multiple pods which have higher setting for max user processes for e.g. root user than that on the host?

There is this thing - pid cgroup - which is available in the newer kernel (starting with 4.3 ), far as I know docker designed their --pids-limit feature based on it. But it's not available for kubernetes yet.

Thanks in advance.

-- Tatyana Koroleva
kubernetes
limit

1 Answer

5/30/2018

Nproc is not namespaced and is tied to the UID, but does this limit within the pod correlate somehow with the same limit on the host for the same user?

They are not correlated.

what if I have multiple pods which have higher setting for max user processes for e.g. root user than that on the host?

Limits from the container will be applied. That is one of the reasons why Kubernetes is not ready to run an untrusted payload.

There is this thing - pid cgroup - which is available in the newer kernel (starting with 4.3 ), far as I know docker designed their --pids-limit feature based on it. But it's not available for kubernetes yet.

Work in progress and many things already done. You can track it here and here.

-- Anton Kostenko
Source: StackOverflow