若你也遇到了SUSE系统下通过docker/container运行容器发现日志抛出:Error response from daemon: failed to create task for container: failed to start shim: start failed: io.containerd.runc.v2: fork/exec /usr/bin/containerd-shim-runc-v2: resource temporarily unavailable: exit status 1: unknown
可以参考下面的性能优化配置:
系统优化
1
2
3
4
5
6
7
8
9
10
11
12
| sysctl -w kernel.pid_max=131072
echo 'kernel.pid_max=131072' >> /etc/sysctl.conf
ulimit -Sn 256530
ulimit -n 256530
echo '* hard nproc 256530' >> /etc/security/limits.conf
echo '* soft nproc 256530' >> /etc/security/limits.conf
echo '* soft nofile 102400' >> /etc/security/limits.conf
echo '* hard nofile 102400' >> /etc/security/limits.conf
sed -i '/^\[Manager\]/a DefaultTasksMax=infinity\nDefaultLimitNOFILE=102400\nDefaultLimitNPROC=infinity\nDefaultLimitMEMLOCK=infinity' /etc/systemd/system.conf
echo 4194303 | tee /proc/sys/kernel/pid_max
echo 1029194 | tee /proc/sys/kernel/threads-max
echo 'max' > /sys/fs/cgroup/pids/system.slice/docker.service/pids.max
|
docker配置
针对/etc/docker/daemon.json:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| {
"default-ulimits": {
"nofile": {
"Name": "nofile",
"Hard": 128000,
"Soft": 128000
},
"nproc": {
"Name": "nproc",
"Hard": -1,
"Soft": -1
}
},
"exec-opts": [
"native.cgroupdriver=systemd"
]
}
|
apparmor
针对apparmor:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| systemctl stop apparmor
systemctl disable apparmor
tee /etc/apparmor.d/docker-default <<'EOF'
#include <tunables/global>
profile docker-default flags=(complain) {
file,
network,
capability,
/usr/bin/docker mr,
/usr/lib/docker/** mr,
/usr/bin/containerd* mr,
/usr/bin/runc* mr,
/data/docker/tmp/** rw,
deny /** wklx,
}
EOF
apparmor_parser -r /etc/apparmor.d/docker-default
aa-complain docker-default
|
注意事项
⚠:如果你还使用了service管理进程,还需要参考system.conf的配置项,添加到单元文件的[Service]中;
/usr/lib/systemd/system/docker.service也需要修改
1
2
3
4
5
6
| ...
TasksMax=infinity
LimitNPROC=infinity
LimitNOFILE=infinity
LimitMEMLOCK=infinity
...
|