[lxc-devel] [lxd/master] Update production setup doc

stgraber on Github lxc-bot at linuxcontainers.org
Mon Aug 10 14:44:13 UTC 2020 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200810/1c7eb73e/attachment.bin>
-------------- next part --------------
From 87c5f1975628764b7dd541543889d21a9de9b3e2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 10 Aug 2020 10:39:18 -0400
Subject: [PATCH 1/2] doc/production-setup: Fix escaping
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 doc/production-setup.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/production-setup.md b/doc/production-setup.md
index f0e439fd68..88cd065541 100644
--- a/doc/production-setup.md
+++ b/doc/production-setup.md
@@ -45,7 +45,7 @@ vm.max\_map\_count                  | 262144     | 65530     | This file contain
 kernel.dmesg\_restrict              | 1          | 0         | This denies container access to the messages in the kernel ring buffer. Please note that this also will deny access to non-root users on the host system.
 net.ipv4.neigh.default.gc\_thresh3  | 8192       | 1024      | This is the maximum number of entries in ARP table (IPv4). You should increase this if you create over 1024 containers. Otherwise, you will get the error `neighbour: ndisc_cache: neighbor table overflow!` when the ARP table gets full and those containers will not be able to get a network configuration. [2]
 net.ipv6.neigh.default.gc\_thresh3  | 8192       | 1024      | This is the maximum number of entries in ARP table (IPv6). You should increase this if you plan to create over 1024 containers. Otherwise, you will get the error `neighbour: ndisc_cache: neighbor table overflow!` when the ARP table gets full and those containers will not be able to get a network configuration. [2]
-net.core.bpf_jit_limit              | 3000000000 | 264241152 | This is a limit on the size of eBPF JIT allocations which is usually set to PAGE_SIZE * 40000. When your kernel is compiled with `CONFIG_BPF_JIT_ALWAYS_ON=y` then `/proc/sys/net/core/bpf_jit_enable` is set to `1` and can't be changed. On such kernels the eBPF JIT compiler will treat failure to JIT compile a bpf program such as a `seccomp` filter as fatal when it would continue on another kernel. On such kernels the limit for eBPF jitted programs needs to be increased siginficantly.
+net.core.bpf\_jit\_limit            | 3000000000 | 264241152 | This is a limit on the size of eBPF JIT allocations which is usually set to PAGE_SIZE * 40000. When your kernel is compiled with `CONFIG_BPF_JIT_ALWAYS_ON=y` then `/proc/sys/net/core/bpf_jit_enable` is set to `1` and can't be changed. On such kernels the eBPF JIT compiler will treat failure to JIT compile a bpf program such as a `seccomp` filter as fatal when it would continue on another kernel. On such kernels the limit for eBPF jitted programs needs to be increased siginficantly.
 kernel.keys.maxkeys                 | 2000       | 200       | This is the maximum number of keys a non-root user can use, should be higher than the number of containers
 kernel.keys.maxbytes                | 2000000    | 20000     | This is the maximum size of the keyring non-root users can use
 fs.aio-max-nr                       | 524288     | 65536     | This is the maximum number of concurrent async I/O operations. You might need to increase it further if you have a lot of workloads that use the AIO subsystem (e.g. MySQL)

From 4c1578fe2087c7ffaa06cc53edc2fcd0af481467 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 10 Aug 2020 10:43:55 -0400
Subject: [PATCH 2/2] doc/production-setup: Update introduction
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 doc/production-setup.md | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/doc/production-setup.md b/doc/production-setup.md
index 88cd065541..da1aeb3b31 100644
--- a/doc/production-setup.md
+++ b/doc/production-setup.md
@@ -4,10 +4,11 @@ So you've made it past trying out [LXD live online](https://linuxcontainers.org/
 or on a server scavenged from random parts. You like what you see,
 and now you want to try doing some serious work with LXD.
 
-With the vanilla installation of Ubuntu Server 18.04, some modifications
-to the server configuration will be needed, to avoid common pitfalls when
-using containers that require tens of thousands of file operations.
-
+The vast majority of Linux distributions do not come with optimized
+kernel settings suitable for the operation of a large number of
+containers. The instructions in this document cover the most common
+limits that you're likely to hit when running containers and suggested
+updated values.
 
 ### Common errors that may be encountered

More information about the lxc-devel mailing list