From 47195f11039521d35ef103a40b90416c1123ae2f Mon Sep 17 00:00:00 2001 From: roy Date: Fri, 15 Aug 2025 11:22:38 +0800 Subject: [PATCH] fix: Remove `LimitNOFILE` from `containerd.service` (cherry picked from commit 1fd0a47b5ad0174a9ac34f525d1cb17012400807) --- containerd.spec | 8 ++++- ...-limitnofile-from-containerd-service.patch | 30 +++++++++++++++++++ series.conf | 1 + 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 patch/0114-containerd-remove-limitnofile-from-containerd-service.patch diff --git a/containerd.spec b/containerd.spec index 5caa302..aa2e9ff 100644 --- a/containerd.spec +++ b/containerd.spec @@ -2,7 +2,7 @@ %global debug_package %{nil} Version: 1.2.0 Name: containerd -Release: 321 +Release: 322 Summary: An industry-standard container runtime License: ASL 2.0 URL: https://containerd.io @@ -72,6 +72,12 @@ install -p -m 755 bin/ctr $RPM_BUILD_ROOT/%{_bindir}/ctr %{_bindir}/ctr %changelog +* Fri Aug 15 2025 Yu Peng - 1.2.0-322 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix: Remove `LimitNOFILE` from `containerd.service` + * Tue Mar 18 2025 dongyuzhen - 1.2.0-321 - Type:CVE - ID:NA diff --git a/patch/0114-containerd-remove-limitnofile-from-containerd-service.patch b/patch/0114-containerd-remove-limitnofile-from-containerd-service.patch new file mode 100644 index 0000000..825da46 --- /dev/null +++ b/patch/0114-containerd-remove-limitnofile-from-containerd-service.patch @@ -0,0 +1,30 @@ +commit 3ca39ef01608fdd44245c0173bf071682b3bfe3c +Author: Brennan Kinney <5098581+polarathene@users.noreply.github.com> +Date: Mon Aug 7 12:47:16 2023 +1200 + + fix: Remove `LimitNOFILE` from `containerd.service` + + + + Remove `LimitNOFILE` from `containerd.service` to rely on the systemd v240 implicit default of `1024:524288`. On supported platforms with systemd prior to v240, packagers will patch the service with an explicit `LimitNOFILE=1024:524288`. + + - `1024` soft limit is an implicit default, avoiding unexpected breakage. Software that needs a higher limit should request to raise the soft limit for its process. + - `524288` hard limit is an implicit default since systemd v240 and is adequate for most processes (_half of the historical limit from `fs.nr_open` of `1048576`_), while 4096 is the implicit default from the kernel (often too low). + - The hard limit may not exceed `fs.nr_open` (_which a value of `infinity` will resolve to_). On most systems with systemd v240 or newer, this will resolve to an excessive size of 2^30 (over 1 billion). + - When set to `infinity` (usually as the soft limit) software may experience significantly increased resource usage, resulting in a performance regression or runtime failures that are difficult to troubleshoot. + + Signed-off-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com> + +diff --git a/containerd.service b/containerd.service +index 38a345945..cf7c6efed 100644 +--- a/containerd.service ++++ b/containerd.service +@@ -13,7 +13,7 @@ + # in the kernel. We recommend using cgroups to do container-local accounting. + LimitNPROC=infinity + LimitCORE=infinity +-LimitNOFILE=infinity ++ + # Comment TasksMax if your systemd version does not supports it. + # Only systemd 226 and above support this version. + TasksMax=infinity diff --git a/series.conf b/series.conf index b286d2d..21e8557 100644 --- a/series.conf +++ b/series.conf @@ -123,3 +123,4 @@ patch/0112-containerd-cio-FIFOSet.Close-check-if-FIFOSet-is-nill-to-preven.patch sw64_patch/3001-thp-add-support-sw_64.patch # end patch/0113-containerd-fix-CVE-2024-40635.patch +patch/0114-containerd-remove-limitnofile-from-containerd-service.patch -- Gitee