I am trying to change net.core.somaxconn
for docker container to be able to have larger queue of requests for my web application.
On OS, outside docker, I first modify the property successfully:
$ cat /proc/sys/net/core/somaxconn
128
$ sudo sysctl -w net.core.somaxconn=1024
net.core.somaxconn = 1024
$ cat /proc/sys/net/core/somaxconn
1024
But then I don't know how to propagate that change into docker. I've tried:
/etc/sysctl.conf
(in hope of docker reading that file on container launch)sudo docker stop
and sudo docker run
againsudo service docker restart
But inside container, cat /proc/sys/net/core/somaxconn
always shows 128
.
I'm running docker 1.2 (so I cannot, by default, modify /proc
attributes inside container) and in Elastic Beanstalk (so without --privileged
mode, that would allow me to modify /proc
).
How can I propagate the sysctl changes to docker?
Docker provides restart policies to control whether your containers start automatically when they exit, or when Docker restarts. Restart policies ensure that linked containers are started in the correct order. Docker recommends that you use restart policies, and avoid using process managers to start containers.
By default, all containers running on the same host can use the host CPU resources equally and without any restrictions. However, Docker can pass -c or --cpu-shares to set the weight of the CPU used by the container. If not specified, the default value is 1024.
net. core. somaxconn : An upper limit for the value of the backlog parameter passed to the listen(2) function. If the backlog argument is greater than the value of /proc/sys/net/core/somaxconn , then it is silently truncated to this limit.
Performance and Containers If no value is provided docker will use a default value. On windows, a container defaults to using two CPUs. If hyperthreading is available this is one core and two logical processors. If hyperthreading is not available this is two cores and two logical processors.
When a Docker container is started, the virtual network interface (shows up as vethXXX on the host) of that container is attached to its own namespace, which still has the initial somaxconn value of 128. So technically, you cannot propogate this value into the container, since the two network namespaces do not share it.
And the initial value for somaxconn is set to 128. When you do sysctl on the host system it sets the core parameters for its network namespace, which is the one owned by init. (basically this is the default namespace).
Even if somaxconn is larger on the host, it's not transferred to the running container (s). Any ideas? Sorry, something went wrong. @titpetric there is an issue tracking service create parity with run: moby/moby#25303 and it links to moby/moby#25209 for --syscall support (which you already commented on).
Docker allows to configure most namespaced sysctls when creating a container. Setting the tw_reuse sysctl mentioned above is pretty straight forward using the --sysctl option in docker run: Similarly, recent enough versions of Docker support sysctls in compose files for docker-compose and swarm mode:
The "net/core" subsys is registered per network namespace. And the initial value for somaxconn is set to 128.
When you do sysctl on the host system it sets the core parameters for its network namespace, which is the one owned by init. (basically this is the default namespace). This does not affect other network namespaces.
When a Docker container is started, the virtual network interface (shows up as vethXXX on the host) of that container is attached to its own namespace, which still has the initial somaxconn value of 128. So technically, you cannot propogate this value into the container, since the two network namespaces do not share it.
There are, however, two ways you can adjust this value, in addition to run the container in privileged mode.
use "--net host" when running the container, so it uses the host's network interface and hence share the same network namespace.
you can mount the proc file system as read-write using Docker's volume mapping support. the trick is to map it to a volume NOT named "/proc", since Docker will remount /proc/sys, among others, as read-only for non-privileged containers. This requires the host to mount /proc as rw, which is the case on most systems.
docker run -it --rm -v /proc:/writable-proc ubuntu:14.04 /bin/bash
root@edbee3de0761:/# echo 1024 > /writable-proc/sys/net/core/somaxconn
root@edbee3de0761:/# sysctl net.core.somaxconn
net.core.somaxconn = 1024
Method 2 should work on Elastic Beanstalk via its volume mapping support in Dockerrun.aws.json. Also it should work for other tunable parameters under /proc that's per-namespace. But this is most likely an oversight on Docker's part so they may add additional validation on volume mapping and this trick won't work then.
docker 1.12 add support for setting sysctls with --sysctl.
docker run --name some-redis --sysctl=net.core.somaxconn=511 -d redis
docs: https://docs.docker.com/engine/reference/commandline/run/#/configure-namespaced-kernel-parameters-sysctls-at-runtime
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With