upgrade for security/limits.conf

labring-actions · Aug 30, 2023 · 1af24c2 · 1af24c2
1 parent b90d3d2
commit 1af24c2
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 1 deletion.
diff --git a/k8s/etc/limits.d/sealos-k8s.conf b/k8s/etc/limits.d/sealos-k8s.conf
@@ -0,0 +1,41 @@
+#Each line describes a limit for a user in the form:
+#
+#<domain>        <type>  <item>  <value>
+#
+#Where:
+#<domain> can be:
+#        - a user name
+#        - a group name, with @group syntax
+#        - the wildcard *, for default entry
+#        - the wildcard %, can be also used with %group syntax,
+#                 for maxlogin limit
+#
+#<type> can have the two values:
+#        - "soft" for enforcing the soft limits
+#        - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+#        - core - limits the core file size (KB)
+#        - data - max data size (KB)
+#        - fsize - maximum filesize (KB)
+#        - memlock - max locked-in-memory address space (KB)
+#        - nofile - max number of open file descriptors
+#        - rss - max resident set size (KB)
+#        - stack - max stack size (KB)
+#        - cpu - max CPU time (MIN)
+#        - nproc - max number of processes
+#        - as - address space limit (KB)
+#        - maxlogins - max number of logins for this user
+#        - maxsyslogins - max number of logins on the system
+#        - priority - the priority to run user process with
+#        - locks - max number of file locks the user can hold
+#        - sigpending - max number of pending signals
+#        - msgqueue - max memory used by POSIX message queues (bytes)
+#        - nice - max nice priority allowed to raise to values: [-20, 19]
+#        - rtprio - max realtime priority
+#
+#<domain>      <type>  <item>         <value>
+* - nofile 65535
+* - nproc 65535
+root - nofile 1048576
+root - nproc 1048576
diff --git a/k8s/scripts/clean-kube.sh b/k8s/scripts/clean-kube.sh
@@ -25,6 +25,13 @@ rm -f /usr/bin/kubectl
 rm -f /usr/bin/kubelet
 
 sed -i '/ # sealos/d' /etc/sysctl.conf
+sealos_b='### sealos begin ###'
+sealos_e='### sealos end ###'
+if grep -E "($sealos_b|$sealos_e)" /etc/security/limits.conf >/dev/null 2>&1; then
+  slb=$(grep -nE "($sealos_b|$sealos_e)" /etc/security/limits.conf | head -n 1 | awk -F: '{print $1}')
+  sle=$(grep -nE "($sealos_b|$sealos_e)" /etc/security/limits.conf | tail -n 1 | awk -F: '{print $1}')
+  sed -i "${slb},${sle}d" /etc/security/limits.conf
+fi
 rm -f /etc/systemd/system/kubelet.service
 rm -rf /etc/systemd/system/kubelet.service.d
 rm -rf /var/lib/kubelet/

diff --git a/k8s/scripts/init-kube.sh b/k8s/scripts/init-kube.sh
@@ -21,7 +21,6 @@ grep ::1 <(grep localhost /etc/hosts) || echo "::1 localhost" >>/etc/hosts
 cp -a ../scripts/kubelet-pre-start.sh /usr/bin
 cp -a ../scripts/kubelet-post-stop.sh /usr/bin
 
-
 source common.sh
 disable_firewalld
 
@@ -33,6 +32,16 @@ cat ../etc/sysctl.d/*.conf | sort | uniq | while read -r str; do
     echo "$k=$v # sealos"
   fi
 done >>/etc/sysctl.conf
+kubelet-pre-start.sh
+sealos_b='### sealos begin ###'
+sealos_e='### sealos end ###'
+if ! grep -E "($sealos_b|$sealos_e)" /etc/security/limits.conf >/dev/null 2>&1; then
+  {
+    echo "$sealos_b"
+    cat ../etc/limits.d/*.conf | grep -v ^# | grep -v ^$ | awk '{print $1,$2,$3,$4}'
+    echo "$sealos_e"
+  } >>/etc/security/limits.conf
+fi
 
 cp -a ../bin/* /usr/bin
 #need after cri-shim