Remove user nproc Limit CentOS 7 Docker image

[ghost]

Hi, there is a default nproc limit for non-root users in the CentOS 7 docker image.

[root@ba4904984f68 /]# cat /etc/security/limits.d/20-nproc.conf 
# Default limit for number of user's processes to prevent
# accidental fork bombs.
# See rhbz #432903 for reasoning.

*          soft    nproc     4096
root       soft    nproc     unlimited

[user@ba4904984f68 ~]$ ulimit -a
max user processes              (-u) 4096

When running several containers with Java applications as the same user this limit is hit easily as this limit seems not only be valid for processes but also for threads. Also the limit is not only valid for a single container, it is an overall limit for several containers running the same user.

Could it be useful to remove the file 20-nproc.conf in your provided CentOS 7 image via the kickstart?

[ghost]

After some more testings, the nproc ulimit is only applied for users different to the main/start process (entrypoint/cmd) of a container.

When running a container with a specific user no max user processes limit is applied.

$ docker run --rm -it -u operator centos:7 bash -c 'ulimit -u'
unlimited

When running a container and somehow switching the user or running several commands in different users the limit is applied.

$ docker run --rm -it centos:7 su -l operator -s /bin/bash -c 'ulimit -u'
4096

Without the 20-nproc.conf file and switching the user or running several commands in different users no limit is applied.

$ docker run --rm -it centos:7 bash -c \
  "rm /etc/security/limits.d/20-nproc.conf && su -l operator -s /bin/bash -c 'ulimit -u'"
unlimited

Is the default nproc limit of CentOS still useful for containers?

[barelnir]

I have the same issue, ssh is refused and only if I change the number I am able to connect,
Is it OK to remove this file? or it is required?