From d3d48cd6ce5ca11e5e1689a5456d2b89c62aaf09 Mon Sep 17 00:00:00 2001 From: roy Date: Thu, 21 Aug 2025 19:33:15 +0800 Subject: [PATCH] fix: Remove `LimitNOFILE` from `containerd.service` --- containerd.spec | 8 ++++- ...-limitnofile-from-containerd-service.patch | 35 +++++++++++++++++++ series.conf | 1 + 3 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 patch/0114-containerd-remove-limitnofile-from-containerd-service.patch diff --git a/containerd.spec b/containerd.spec index 2919a8d..6924d35 100644 --- a/containerd.spec +++ b/containerd.spec @@ -2,7 +2,7 @@ %global debug_package %{nil} Version: 1.2.0 Name: containerd -Release: 219 +Release: 220 Summary: An industry-standard container runtime License: ASL 2.0 URL: https://containerd.io @@ -44,6 +44,12 @@ install -p -m 755 bin/ctr $RPM_BUILD_ROOT/%{_bindir}/ctr %{_bindir}/ctr %changelog +* Thu Aug 21 2025 Yu Peng - 1.2.0-220 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix: Remove `LimitNOFILE` from `containerd.service` + * Wed Mar 19 2025 dongyuzhen - 1.2.0-219 - Type:CVE - ID:NA diff --git a/patch/0114-containerd-remove-limitnofile-from-containerd-service.patch b/patch/0114-containerd-remove-limitnofile-from-containerd-service.patch new file mode 100644 index 0000000..87db97c --- /dev/null +++ b/patch/0114-containerd-remove-limitnofile-from-containerd-service.patch @@ -0,0 +1,35 @@ +commit 3ca39ef01608fdd44245c0173bf071682b3bfe3c +Author: Brennan Kinney <5098581+polarathene@users.noreply.github.com> +Date: Mon Aug 7 12:47:16 2023 +1200 + + fix: Remove `LimitNOFILE` from `containerd.service` + + + + Remove `LimitNOFILE` from `containerd.service` to rely on the systemd v240 implicit default of `1024:524288`. On supported platforms with systemd prior to v240, packagers will patch the service with an explicit `LimitNOFILE=1024:524288`. + + - `1024` soft limit is an implicit default, avoiding unexpected breakage. Software that needs a higher limit should request to raise the soft limit for its process. + - `524288` hard limit is an implicit default since systemd v240 and is adequate for most processes (_half of the historical limit from `fs.nr_open` of `1048576`_), while 4096 is the implicit default from the kernel (often too low). + - The hard limit may not exceed `fs.nr_open` (_which a value of `infinity` will resolve to_). On most systems with systemd v240 or newer, this will resolve to an excessive size of 2^30 (over 1 billion). + - When set to `infinity` (usually as the soft limit) software may experience significantly increased resource usage, resulting in a performance regression or runtime failures that are difficult to troubleshoot. + + Signed-off-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com> + +diff --git a/containerd.service b/containerd.service +index 38a345945..cf7c6efed 100644 +--- a/containerd.service ++++ b/containerd.service +@@ -28,11 +28,12 @@ Delegate=yes + KillMode=process + Restart=always + RestartSec=5 ++ + # Having non-zero Limit*s causes performance problems due to accounting overhead + # in the kernel. We recommend using cgroups to do container-local accounting. + LimitNPROC=infinity + LimitCORE=infinity +-LimitNOFILE=infinity ++ + # Comment TasksMax if your systemd version does not supports it. + # Only systemd 226 and above support this version. + TasksMax=infinity diff --git a/series.conf b/series.conf index 8962098..ad843fe 100644 --- a/series.conf +++ b/series.conf @@ -115,3 +115,4 @@ patch/0110-containerd-update-vendored-golang.org-x-net.patch patch/0111-containerd-disable-Transparent-HugePage-for-shim-pro.patch patch/0112-containerd-cio-FIFOSet.Close-check-if-FIFOSet-is-nill-to-preven.patch patch/0113-containerd-fix-CVE-2024-40635.patch +patch/0114-containerd-remove-limitnofile-from-containerd-service.patch -- Gitee