mirror of
https://github.com/lxc/incus.git
synced 2026-02-05 18:45:46 +01:00
fc373479d1
* MD055 Table row doesn't begin/end with pipes * MD057 Table has missing or invalid header separation (second row) General alignment of the columns. Signed-off-by: Lucas Bremgartner <lucas.bremgartner@futurfusion.io>
5.4 KiB
5.4 KiB
(server-settings)=
Server settings for an Incus production setup
To allow your Incus server to run a large number of instances, configure the following settings to avoid hitting server limits.
The Value column contains the suggested value for each parameter.
/etc/security/limits.conf
| Domain | Type | Item | Value | Default | Description |
|---|---|---|---|---|---|
* |
soft | nofile |
1048576 |
unset | Maximum number of open files |
* |
hard | nofile |
1048576 |
unset | Maximum number of open files |
root |
soft | nofile |
1048576 |
unset | Maximum number of open files |
root |
hard | nofile |
1048576 |
unset | Maximum number of open files |
* |
soft | memlock |
unlimited |
unset | Maximum locked-in-memory address space (KB) |
* |
hard | memlock |
unlimited |
unset | Maximum locked-in-memory address space (KB) |
root |
soft | memlock |
unlimited |
unset | Maximum locked-in-memory address space (KB), only need with bpf syscall supervision |
root |
hard | memlock |
unlimited |
unset | Maximum locked-in-memory address space (KB), only need with bpf syscall supervision |
/etc/sysctl.conf
Reboot the server after changing any of these parameters.
| Parameter | Value | Default | Description |
|---|---|---|---|
fs.aio-max-nr |
524288 |
65536 |
Maximum number of concurrent asynchronous I/O operations (you might need to increase this limit further if you have a lot of workloads that use the AIO subsystem, for example, MySQL) |
fs.inotify.max_queued_events |
1048576 |
16384 |
Upper limit on the number of events that can be queued to the corresponding inotify instance (see inotify) |
fs.inotify.max_user_instances |
1048576 |
128 |
Upper limit on the number of inotify instances that can be created per real user ID (see inotify) |
fs.inotify.max_user_watches |
1048576 |
8192 |
Upper limit on the number of watches that can be created per real user ID (see inotify) |
kernel.dmesg_restrict |
1 |
0 |
Whether to deny container access to the messages in the kernel ring buffer (note that this will also deny access to non-root users on the host system) |
kernel.keys.maxbytes |
2000000 |
20000 |
Maximum size of the key ring that non-root users can use |
kernel.keys.maxkeys |
2000 |
200 |
Maximum number of keys that a non-root user can use (the value should be higher than the number of instances) |
net.core.bpf_jit_limit |
1000000000 |
varies | Limit on the size of eBPF JIT allocations (on kernels < 5.15 that are compiled with CONFIG_BPF_JIT_ALWAYS_ON=y, this value might limit the amount of instances that can be created) |
net.ipv4.neigh.default.gc_thresh3 |
8192 |
1024 |
Maximum number of entries in the IPv4 ARP table (increase this value if you plan to create over 1024 instances - otherwise, you will get the error neighbour: ndisc_cache: neighbor table overflow! when the ARP table gets full and the instances cannot get a network configuration; see ip-sysctl) |
net.ipv6.neigh.default.gc_thresh3 |
8192 |
1024 |
Maximum number of entries in IPv6 ARP table (increase this value if you plan to create over 1024 instances - otherwise, you will get the error neighbour: ndisc_cache: neighbor table overflow! when the ARP table gets full and the instances cannot get a network configuration; see ip-sysctl) |
vm.max_map_count |
262144 |
65530 |
Maximum number of memory map areas a process may have (memory map areas are used as a side-effect of calling malloc, directly by mmap and mprotect, and also when loading shared libraries) |