From 7358e4f93c49d2a653115b797ec9ab3ce712a5e4 Mon Sep 17 00:00:00 2001 From: mt_caret Date: Sat, 14 Dec 2019 23:29:08 +0900 Subject: [PATCH] nixos/lxd: add recommendedSysctlSettings * nixos/lxd: add productionSetup option * nixos/lxd: enable some settings by default * nixos/lxd: rename option --- nixos/modules/virtualisation/lxd.nix | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix index 505c11abd208..b4934a86cf56 100644 --- a/nixos/modules/virtualisation/lxd.nix +++ b/nixos/modules/virtualisation/lxd.nix @@ -35,6 +35,18 @@ in with nixos. ''; }; + recommendedSysctlSettings = mkOption { + type = types.bool; + default = false; + description = '' + enables various settings to avoid common pitfalls when + running containers requiring many file operations. + Fixes errors like "Too many open files" or + "neighbour: ndisc_cache: neighbor table overflow!". + See https://lxd.readthedocs.io/en/latest/production-setup/ + for details. + ''; + }; }; }; @@ -69,8 +81,11 @@ in ExecStart = "@${pkgs.lxd.bin}/bin/lxd lxd --group lxd"; Type = "simple"; KillMode = "process"; # when stopping, leave the containers alone + LimitMEMLOCK = "infinity"; + LimitNOFILE = "1048576"; + LimitNPROC = "infinity"; + TasksMax = "infinity"; }; - }; users.groups.lxd.gid = config.ids.gids.lxd; @@ -79,5 +94,16 @@ in subUidRanges = [ { startUid = 1000000; count = 65536; } ]; subGidRanges = [ { startGid = 1000000; count = 65536; } ]; }; + + boot.kernel.sysctl = mkIf cfg.recommendedSysctlSettings { + "fs.inotify.max_queued_events" = 1048576; + "fs.inotify.max_user_instances" = 1048576; + "fs.inotify.max_user_watches" = 1048576; + "vm.max_map_count" = 262144; + "kernel.dmesg_restrict" = 1; + "net.ipv4.neigh.default.gc_thresh3" = 8192; + "net.ipv6.neigh.default.gc_thresh3" = 8192; + "kernel.keys.maxkeys" = 2000; + }; }; }