From 00c4a289b6c4f4b6538867a8fe6cde3463cd0b03 Mon Sep 17 00:00:00 2001 From: krishjainx Date: Mon, 5 Jun 2023 16:57:54 +0200 Subject: [PATCH 1/2] app-containers/containerd: Migrate to Type=notify in containerd.service Race condition arises when the containerd service unit assumes services are ready as soon as they start running, rather than when they can actually accept socket requests. To rectify this, changing the unit to Type=notify is required, utilizing the existing containerd support for sd_notify call after socket setup. In addition to this, the configuration is more aligned with upstream. https://www.freedesktop.org/software/systemd/man/systemd.service.html#Type= --- .../containerd/files/containerd.service | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.service b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.service index 5af2182266..4a71b0736b 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.service +++ b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.service @@ -1,20 +1,24 @@ [Unit] -Description=Containerd Container Daemon -Documentation=http://github.com/docker/containerd +Description=containerd container runtime +Documentation=https://containerd.io +After=network.target local-fs.target [Service] -Type=simple +ExecStartPre=-/sbin/modprobe overlay ExecStart=/usr/bin/containerd --listen unix:///var/run/docker/libcontainerd/docker-containerd.sock --shim /usr/bin/containerd-shim --state-dir /var/run/docker/libcontainerd/containerd --start-timeout 2m -Restart=always -# (lack of) limits from the upstream docker service unit -LimitNOFILE=1048576 +Type=notify +Delegate=yes +KillMode=process +Restart=always +RestartSec=5 +# Having non-zero Limit*s causes performance problems due to accounting overhead +# in the kernel. We recommend using cgroups to do container-local accounting. LimitNPROC=infinity LimitCORE=infinity +LimitNOFILE=infinity TasksMax=infinity - -# set delegate yes so that systemd does not reset the cgroups of containers -Delegate=yes +OOMScoreAdjust=-999 [Install] WantedBy=multi-user.target early-docker.target From e3c1a968f5ba74a917ab553a6981ce33db979097 Mon Sep 17 00:00:00 2001 From: krishjainx Date: Thu, 15 Jun 2023 17:50:41 +0200 Subject: [PATCH 2/2] add changelog --- changelog/changes/2023-06-15-containerd-service | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog/changes/2023-06-15-containerd-service diff --git a/changelog/changes/2023-06-15-containerd-service b/changelog/changes/2023-06-15-containerd-service new file mode 100644 index 0000000000..546cc842b5 --- /dev/null +++ b/changelog/changes/2023-06-15-containerd-service @@ -0,0 +1 @@ +- Migrate to Type=notify in containerd.service. Changed the unit to Type=notify, utilizing the existing containerd support for sd_notify call after socket setup.