How will a server running multiple Docker virtual machines handle the TCP limitation?

Question

Under a REALLY heavy load, a server doesn't seem to "recycle" the TCP connections quickly enough.

I'm looking into using Docker to deal with a higher than usual number of requests per second to an API by creating multiple instances of a node server on one machine vs using multiple machines.

If the following sysctl settings are set, the recycling does seem to happen faster but there is still a hard limit on how many sockets there can be in existence:

net.ipv4.ip_local_port_range='1024 65000'
net.ipv4.tcp_tw_reuse='1'
net.ipv4.tcp_fin_timeout='15

When running multiple docker instances, is the total cap on tcp connections still equal to the number of maximum tcp connections the "parent" machine can handle?

Answer 1

Yes, the total cap of TCP connections will be capped by the Docker host.

However, there are three very different limits:

• total cap of open connections (regardless of the source/destination IP address), which is related to the maximum number of file descriptors, and can be extremely high (i.e. millions)
• total cap of outbound connections for a given local IP address (limited to 64K per local IP address)
• total cap of connections tracked by netfilter

TCP port recycling deals with the 2nd limit. If you use netstat -nt in the host and container, you should be able to easily check if you're getting close to it. If that's the case, the sysctls that you used should help a lot.

If you're container is handling outside traffic, it shouldn't be subject to that limit; however, you could hit the 3rd one. You can check the number of tracked connections with conntrack -S, and if necessary, bump up the max number of connections by tweaking /proc/sys/net/ipv4/netfilter/ip_conntrack_max.

It would be helpful to indicate which symptoms you are seeing, that make you think that the server doesn't recycle the connections fast enough?