Nixpkgs: Can't start 200 nixos-containers

...and a call for ideas what to check. Any hints welcome!

From the logs, it looks like there's a race condition with the machine name assignments and duplicates are occurring. I've no idea which code to poke at, unfortunately.

Sep 02 21:18:43 targets-host container target101[101043]: Spawning container target101 on /var/lib/containers/target101.
Sep 02 21:18:43 targets-host container target101[101043]: Press ^] three times within 1s to kill container.
Sep 02 21:18:43 targets-host container target101[101043]: Failed to register machine: Machine 'target101' already exists

On second glance, it appears that you may be hitting an open file limit on linux? The container is then killed, but not unregistered, hence the above error. There might be two bugs here.

Sep 02 21:17:03 targets-host container target101[2702]: [FAILED] Failed to start Nginx Web Server.
Sep 02 21:17:03 targets-host container target101[2702]: See 'systemctl status nginx.service' for details.
Sep 02 21:17:10 targets-host container target101[89675]: /nix/store/cinw572b38aln37glr0zb8lxwrgaffl4-bash-4.4-p23/bin/bash: /nix/store/nh6qsmg2vyzpyf3sykgr9m2dnblcp42m-unit-script-container_target101-post-start: Too many open files

Some reference material on file limits.
You might be able to adjust the max file limit with the boot.kernel.sysctl nixos option.

Thanks for setting these milestones by the way. We hit new problems every time you are stretching your goals which is a good thing :)

@boxofrox thanks for the analysis!

You might be able to adjust the max file limit with the boot.kernel.sysctl nixos option.

Yes, that's easily possible with:

  boot.kernel.sysctl = {
    "fs.file-max" = 2097152;
  };

but the default is already pretty high:

[davidak@ethmoid:~]$ cat /proc/sys/fs/file-max
9223372036854775807

I tried to raise the open file limits per user in the past, but it didn't solve the problem then.

  security.pam.loginLimits = [
    { domain = "*"; item = "nofile"; type = "soft"; value = "8192"; }
    { domain = "*"; item = "nofile"; type = "hard"; value = "8192"; }
  ];

I will debug this further.

I tested with extremely high values, but still got Too many open files issues.

  # same as /proc/sys/fs/nr_open
  # maybe try also unlimited
  security.pam.loginLimits = [
    { domain = "*"; item = "nofile"; type = "soft"; value = "1073741816"; }
    { domain = "*"; item = "nofile"; type = "hard"; value = "1073741816"; }
  ];

fs.file-max not set since it's already 9223372036854775807 by default.

I have set that in the container host. I don't think i have to set anything special in the container since i have only 3 services running.

I have to look how the limits are actually for the users that having this issues. Debugging takes a lot of time i don't have right now.

Note that systemd services set limits through

https://jlk.fjfi.cvut.cz/arch/manpages/man/systemd-system.conf.5 and
explicitly ignore the values set by pam (
https://wiki.archlinux.org/index.php/Limits.conf)

On Mon, Nov 11, 2019, 09:36 David Kleuker notifications@github.com wrote:

I tested with extremely high values, but still got Too many open files
issues.

# same as /proc/sys/fs/nr_open
# maybe try also unlimited
security.pam.loginLimits = [
{ domain = ""; item = "nofile"; type = "soft"; value = "1073741816"; }
{ domain = ""; item = "nofile"; type = "hard"; value = "1073741816"; }
];

fs.file-max not set since it's already 9223372036854775807 by default.

I have set that in the container host. I don't think i have to set
anything special in the container since i have only 3 services running.

I have to look how the limits are actually for the users that having this
issues. Debugging takes a lot of time i don't have right now.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/NixOS/nixpkgs/issues/67970?email_source=notifications&email_token=AAEZNIYUGV6XMANULPSETWDQTEKRNA5CNFSM4ITANJYKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDWBX2I#issuecomment-552344553,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAEZNI5PVAKEPPKYL44C77LQTEKRNANCNFSM4ITANJYA
.

I took @arianvp's information and created 1) a small program print-file-limits that prints RLIMITS_NOFILE, and 2) a VM to test print-file-limits as a process and service for comparison.

I documented the test in a gist [1] in case @davidak wants to review the numbers on his environment. I didn't find a way in my tests to affect the RLIMIT_NOFILE value in a systemd service despite setting systemd.extraConfig = "DefaultLimitNOFILE=128K:512K".

I don't find many opportunities to tinker with NixOS, but this little program and test VM was surprisingly easy to set up :smiley:.

[1]: https://gist.github.com/boxofrox/eeb9cba5b25d4caad7b47a26039b1b61

Interesting .... that sounds like a bug to me? Wonder whats up here.... Setting the NOFILE thrrough systemd should defenitely work.

How about setting LimitNOFILE directly on the systemd service? (Instead of through systemd.conf)

e.g.:

serviceConfig.LimitNOFILE=128k:512k

@arianvp thanks! I was looking for a per-service option for DefaultLimitNOFILE.

With that patch, I found no change in the RLIMITS_NOFILE reported inside a service. I wonder if 125K:512K is too much.

diff --git a/default.nix b/default.nix
index 0d33d63..34b21fe 100644
--- a/default.nix
+++ b/default.nix
@@ -47,6 +47,7 @@ in {
       serviceConfig = {
         Type = "oneshot";
         ExecStart = "${package}/bin/print-file-limits";
+        LimitNOFILE = "125K:1M";
       };
     };

[vm@test-nixos:~]$ journalctl -u print-file-limits.service --no-pager -e
-- Logs begin at Tue 2019-11-12 17:00:52 UTC, end at Tue 2019-11-12 18:32:40 UTC. --
Nov 12 18:32:19 test-nixos print-file-limits[554]: RLIMIT_NOFILE soft(1024) hard(524288)

[vm@test-nixos:~]$ grep NOFILE /etc/systemd/system/print-file-limits.service
LimitNOFILE=125K:1M

Edit: Doh. Might help to see a difference if my upper limit (512K) didn't match the existing value (524288). Using LimitNOFILE="125K:1M"; instead still doesn't affect the 524288 hard limit.

I found that systemctl show will print details about a service unit. Despite LimitNOFILE=125K:1M, systemctl show reports the same values 1024:524288 I observed.

[vm@test-nixos:~]$ systemctl show print-file-limits.service | grep NO
LimitNOFILE=524288
LimitNOFILESoft=1024

So I switched from LimitNOFILE=125K:1M to LimitNOFILE=1M. systemctl show still reports 1024:524288.

Okay, drop the units. Use LimitNOFILE=1000000. systemctl show changed and reports 1000000:1000000. And print-file-limits.services reports the same.

~It appears the bit about file units in https://jlk.fjfi.cvut.cz/arch/manpages/man/systemd-system.conf.5 is broken?~ Nevermind. Per man page "...may be used for resource limits measured in bytes."

LimitNOFILE=125000:1000000 also works.

[vm@test-nixos:~]$ journalctl -u print-file-limits.service --no-pager -e
-- Logs begin at Tue 2019-11-12 17:00:52 UTC, end at Tue 2019-11-12 20:36:04 UTC. --
Nov 12 20:35:43 test-nixos print-file-limits[518]: RLIMIT_NOFILE soft(125000) hard(1000000)

Mystery solved with LimitNOFILE. :tada:

Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:

1. Search for maintainers and people that previously touched the
   related code and @ mention them in a comment.
2. Ask on the NixOS Discourse. 3. Ask on the #nixos channel on
   irc.freenode.net.

still work in progress

Hello again.

I'm now able to run 250 nixos-containers! System rebuild uses 28 GB RAM. The important part of the configuration is:

  # raise limits to support many containers
  boot.kernel.sysctl = {
    # Fix "Failed to allocate directory watch: Too many open files"
    # or "Insufficent watch descriptors available."
    "fs.inotify.max_user_instances" = 524288; # max (uses up to 512 MB kernel memory)
    # Fix "Failed to add ... to directory watch: inotify watch limit reached"
    "fs.inotify.max_user_watches" = 524288; # max (uses up to 512 MB kernel memory)
    # Fix full PIDs, check with `lsof -n -l | wc -l` (default 32768)
    "kernel.pid_max" = 4194303; # 64-bit max
  };

When i try to run 300, i get this errors:

Jun 24 00:01:21 targets-host systemd[1]: Starting Container 'target296'...
Jun 24 00:01:21 targets-host dbus-daemon[770]: [system] The maximum number of active connections for UID 0 has been reached (max_connections_per_user=256)
Jun 24 00:01:21 targets-host dbus-daemon[770]: [system] The maximum number of active connections for UID 0 has been reached (max_connections_per_user=256)
...

That is a known problem in D-Bus: https://gitlab.freedesktop.org/dbus/dbus/-/issues/97

Even a nixos-rebuild fails :smile:

[root@nixos:~]# nixos-rebuild switch
building Nix...
building the system configuration...
these derivations will be built:
  /nix/store/bl14dd8symiqbqnvsy7rbg3kbnqzqsny-system-units.drv
  /nix/store/wjsz4yil7bp5fnpb9l85rnh9gy7n9138-etc.drv
  /nix/store/w7x8k22y30ism8w375nbqcdaw1aj2mhn-nixos-system-targets-host-19.09.2370.e10c65cdb35.drv
building '/nix/store/bl14dd8symiqbqnvsy7rbg3kbnqzqsny-system-units.drv'...
building '/nix/store/wjsz4yil7bp5fnpb9l85rnh9gy7n9138-etc.drv'...
building '/nix/store/w7x8k22y30ism8w375nbqcdaw1aj2mhn-nixos-system-targets-host-19.09.2370.e10c65cdb35.drv'...
org.freedesktop.DBus.Error.LimitsExceeded: The maximum number of active connections for UID 0 has been reached
warning: error(s) occurred while switching to the new configuration

Workaround: Stop containers first. for i in {1..250}; do systemctl stop container@target$i.service ; done

So we might want to limit nixos-containers to 250 for now, until this is fixed.

Thanks for pushing the limits!

How about trying out dbus-broker instead of dbus? It should be a drop-in
replacement with better performance

On Wed, Jun 24, 2020, 00:52 davidak notifications@github.com wrote:

Hello again.

I'm now able to run 250 nixos-containers! System rebuild uses 28 GB RAM.
The important part of the configuration is:

# raise limits to support many containers

boot.kernel.sysctl = {

# Fix "Failed to allocate directory watch: Too many open files"

# or "Insufficent watch descriptors available."

"fs.inotify.max_user_instances" = 524288; # max (uses up to 512 MB kernel memory)

# Fix "Failed to add ... to directory watch: inotify watch limit reached"

"fs.inotify.max_user_watches" = 524288; # max (uses up to 512 MB kernel memory)

# Fix full PIDs, check with `lsof -n -l | wc -l` (default 32768)

"kernel.pid_max" = 4194303; # 64-bit max

};

When i try to run 300, i get this errors:

Jun 24 00:01:21 targets-host systemd[1]: Starting Container 'target296'...

Jun 24 00:01:21 targets-host dbus-daemon[770]: [system] The maximum number of active connections for UID 0 has been reached (max_connections_per_user=256)

Jun 24 00:01:21 targets-host dbus-daemon[770]: [system] The maximum number of active connections for UID 0 has been reached (max_connections_per_user=256)

...

That is a known problem in D-Bus:
https://gitlab.freedesktop.org/dbus/dbus/-/issues/97

Even a nixos-rebuild fails 😄

[root@nixos:~]# nixos-rebuild switch

building Nix...

building the system configuration...

these derivations will be built:

/nix/store/bl14dd8symiqbqnvsy7rbg3kbnqzqsny-system-units.drv

/nix/store/wjsz4yil7bp5fnpb9l85rnh9gy7n9138-etc.drv

/nix/store/w7x8k22y30ism8w375nbqcdaw1aj2mhn-nixos-system-targets-host-19.09.2370.e10c65cdb35.drv

building '/nix/store/bl14dd8symiqbqnvsy7rbg3kbnqzqsny-system-units.drv'...

building '/nix/store/wjsz4yil7bp5fnpb9l85rnh9gy7n9138-etc.drv'...

building '/nix/store/w7x8k22y30ism8w375nbqcdaw1aj2mhn-nixos-system-targets-host-19.09.2370.e10c65cdb35.drv'...

org.freedesktop.DBus.Error.LimitsExceeded: The maximum number of active connections for UID 0 has been reached

warning: error(s) occurred while switching to the new configuration

So we might want to limit nixos-containers to 250 for now or at least show
a warning, until this is fixed.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/NixOS/nixpkgs/issues/67970#issuecomment-648468609,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAEZNI4T23DJEELL6ZVCT5LRYEW2TANCNFSM4ITANJYA
.

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/does-nixops-support-lxc/7823/1

How about trying out dbus-broker instead of dbus?

Looks good. Sadly there is no NixOS option to do so, but a package.

So i tried this:

  systemd.services.dbus-broker.enable = true;
  systemd.services.dbus.enable = false;
  systemd.sockets.dbus.enable = false;

  environment.systemPackages = with pkgs; [ dbus-broker ];

but ended up with a broken system.

[root@nixos:~]# nixos-rebuild switch
building Nix...
building the system configuration...
these derivations will be built:
  /nix/store/a8l8r0kq3nqjlh0r4w88p3l7yr7ay0mx-system-path.drv
  /nix/store/3larzh848mi8drlsnkd7l84fxw7r05zy-dbus-1.drv
  /nix/store/1x2n6501n034pbwg5qg0i85b8irkwbca-unit-dbus.service.drv
  /nix/store/k0v8hvki318vhxb8ysfymgw99wzpvajw-user-units.drv
  /nix/store/5bmqd9fz9x2s8hfk91ynkd22l63m5dss-unit-systemd-fsck-.service.drv
  /nix/store/7vb75blaci6dnmqijx4s9drjp5f40gic-unit-dbus-broker.service.drv
  /nix/store/8i6ivh9pn6nvw1dg5bwyvbcgbjfk0ryr-unit-polkit.service.drv
  /nix/store/sivzvhy61rjv9ch81w7l27blx65l3ffr-unit-dbus.service-disabled.drv
  /nix/store/mdc6wrib8syjvd7zkk8gj0wlhji9ahd7-system-units.drv
  /nix/store/pn0j92rqbinsvrx69mbxjslzs2kmavan-etc.drv
  /nix/store/3pxc6anjd0gpag6ry0kjj09xd5g8mand-nixos-system-targets-host-19.09.2370.e10c65cdb35.drv
these paths will be fetched (0.12 MiB download, 0.40 MiB unpacked):
  /nix/store/gvnng20vlmyr47vbhy8nf6g4dyjxc31r-dbus-broker-21
copying path '/nix/store/gvnng20vlmyr47vbhy8nf6g4dyjxc31r-dbus-broker-21' from 'https://cache.nixos.org'...
building '/nix/store/7vb75blaci6dnmqijx4s9drjp5f40gic-unit-dbus-broker.service.drv'...
building '/nix/store/sivzvhy61rjv9ch81w7l27blx65l3ffr-unit-dbus.service-disabled.drv'...
building '/nix/store/a8l8r0kq3nqjlh0r4w88p3l7yr7ay0mx-system-path.drv'...
created 1654 symlinks in user environment
building '/nix/store/3larzh848mi8drlsnkd7l84fxw7r05zy-dbus-1.drv'...
building '/nix/store/8i6ivh9pn6nvw1dg5bwyvbcgbjfk0ryr-unit-polkit.service.drv'...
building '/nix/store/5bmqd9fz9x2s8hfk91ynkd22l63m5dss-unit-systemd-fsck-.service.drv'...
building '/nix/store/1x2n6501n034pbwg5qg0i85b8irkwbca-unit-dbus.service.drv'...
building '/nix/store/mdc6wrib8syjvd7zkk8gj0wlhji9ahd7-system-units.drv'...
building '/nix/store/k0v8hvki318vhxb8ysfymgw99wzpvajw-user-units.drv'...
building '/nix/store/pn0j92rqbinsvrx69mbxjslzs2kmavan-etc.drv'...
building '/nix/store/3pxc6anjd0gpag6ry0kjj09xd5g8mand-nixos-system-targets-host-19.09.2370.e10c65cdb35.drv'...
stopping the following units: dbus.service
Warning: Stopping dbus.service, but it can still be activated by:
  dbus.socket
NOT restarting the following changed units: systemd-fsck@dev-disk-by\x2duuid-A617\x2dA4CC.service
activating the configuration...
setting up /etc...
setting up tmpfiles
org.freedesktop.DBus.Error.Disconnected: Connection was disconnected before a reply was received
warning: error(s) occurred while switching to the new configuration

[root@targets-host:~]# nixos-rebuild switch
building Nix...
building the system configuration...
org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /run/dbus/system_bus_socket: Connection refused
warning: error(s) occurred while switching to the new configuration

The dbus-broker.service looks like this:

[Unit]

[Service]
Environment="LOCALE_ARCHIVE=/nix/store/nl67flma20ixa0x5jms4wk0yfbx4c9wb-glibc-locales-2.27/lib/locale/locale-archive"
Environment="PATH=/nix/store/9v78r3afqy9xn9zwdj9wfys6sk3vc01d-coreutils-8.31/bin:/nix/store/0zdsw4qdrwi41mfdwqpxknsvk9fz3gkb-findutils-4.7.0/bin:/nix/store/71y5ddyz8vmsw9wgi3gzifcls53r60i9-gnugrep-3.3/bin:/nix/store/g2h4491kab7l06v9rf1lnyjvzdwy5ak0-gnused-4.7/bin:/nix/store/ib5p1wc9969rr09xpv09x2iavpaj0j0b-systemd-243.7/bin:/nix/store/9v78r3afqy9xn9zwdj9wfys6sk3vc01d-coreutils-8.31/sbin:/nix/store/0zdsw4qdrwi41mfdwqpxknsvk9fz3gkb-findutils-4.7.0/sbin:/nix/store/71y5ddyz8vmsw9wgi3gzifcls53r60i9-gnugrep-3.3/sbin:/nix/store/g2h4491kab7l06v9rf1lnyjvzdwy5ak0-gnused-4.7/sbin:/nix/store/ib5p1wc9969rr09xpv09x2iavpaj0j0b-systemd-243.7/sbin"
Environment="TZDIR=/nix/store/yfd0qkf8m908j523xyvwmwrll95ywkdi-tzdata-2019b/share/zoneinfo"

While the dbus.service has actually commands to start:

[Unit]
Description=D-Bus System Message Bus
Documentation=man:dbus-daemon(1)
Requires=dbus.socket

[Service]
ExecStart=/nix/store/f70c0ln8hj7jr7lps2ydcx4izbffh64x-dbus-1.12.16/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
ExecReload=/nix/store/f70c0ln8hj7jr7lps2ydcx4izbffh64x-dbus-1.12.16/bin/dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig
OOMScoreAdjust=-900

Try adding:

systemd.packages = [ pkgs.dbus-broker ];

Also do not add

systemd.sockets.dbus.enable = false;

as you need the socket for things to work.

so:

systemd.packages = [ pkgs.dbus-broker ];
systemd.services.dbus-broker.enable = true;
systemd.user.services.dbus-broker.enable = true;
systemd.services.dbus.enable = false;
systemd.user.services.dbus.enable = false;

should do the job