Refresh net.core.somaxcomm (or any sysctl property) for docker containers

Question

I am trying to change net.core.somaxconn for docker container to be able to have larger queue of requests for my web application.

On OS, outside docker,

Answer 1

In docker 3.1 there is support for specifying sysctl. note the
sysctls:
    - net.core.somaxconn=1024

My example docker-compose file

version: '3.1'                                                                   
services:                                                                        
  my_redis_master:                                                             
    image: redis                                                                 
    restart: always                                                              
    command: redis-server /etc/redis/redis.conf                                  
    volumes:                                                                     
      - /data/my_dir/redis:/data                                         
      - /data/my_dir/logs/redis:/var/tmp/                                
      - ./redis/redis-master.conf:/etc/redis/redis.conf                          
    sysctls:                                                                     
      - net.core.somaxconn=1024                                                  
    ports:                                                                       
      - "18379:6379"                                   

Answer 2

Just figured out how to solve this, now Elastic Beanstalk supports running a privileged containers and you just need to add the "privileged": "true" to your Dockerrun.aws.json as the following sample (please take a look at the container-1):

{
  "AWSEBDockerrunVersion": 2,
  "containerDefinitions": [{
    "name": "container-0",
    "essential": "false",
    "image": "ubuntu",
    "memory": "512"
  }, {
    "name": "container-1",
    "essential": "false",
    "image": "ubuntu",
    "memory": "512",
    "privileged": "true"
  }]
}

Please note that I duplicated this answer from another thread.

Answer 3

docker 1.12 add support for setting sysctls with --sysctl.

docker run --name some-redis --sysctl=net.core.somaxconn=511 -d redis

docs: https://docs.docker.com/engine/reference/commandline/run/#/configure-namespaced-kernel-parameters-sysctls-at-runtime

Answer 4

The "net/core" subsys is registered per network namespace. And the initial value for somaxconn is set to 128.

When you do sysctl on the host system it sets the core parameters for its network namespace, which is the one owned by init. (basically this is the default namespace). This does not affect other network namespaces.

When a Docker container is started, the virtual network interface (shows up as vethXXX on the host) of that container is attached to its own namespace, which still has the initial somaxconn value of 128. So technically, you cannot propogate this value into the container, since the two network namespaces do not share it.

There are, however, two ways you can adjust this value, in addition to run the container in privileged mode.

1. use "--net host" when running the container, so it uses the host's network interface and hence share the same network namespace.

2. you can mount the proc file system as read-write using Docker's volume mapping support. the trick is to map it to a volume NOT named "/proc", since Docker will remount /proc/sys, among others, as read-only for non-privileged containers. This requires the host to mount /proc as rw, which is the case on most systems.

   docker run -it --rm -v /proc:/writable-proc ubuntu:14.04 /bin/bash
   root@edbee3de0761:/# echo 1024 > /writable-proc/sys/net/core/somaxconn
   root@edbee3de0761:/# sysctl net.core.somaxconn
   net.core.somaxconn = 1024
   

Method 2 should work on Elastic Beanstalk via its volume mapping support in Dockerrun.aws.json. Also it should work for other tunable parameters under /proc that's per-namespace. But this is most likely an oversight on Docker's part so they may add additional validation on volume mapping and this trick won't work then.

Answer 5

I found a solution:

{
    "AWSEBDockerrunVersion": "1",
    "Command": "run COMMAND",
    "Image": {
        "Name": "crystalnix/omaha-server",
        "Update": "true"
    },
    "Ports": [
        {
            "ContainerPort": "80"
        }
    ]
}

more details here: /opt/elasticbeanstalk/hooks/appdeploy/pre/04run.sh

Update:

Add file .ebextensions/02-commands.config

container_commands:
    00001-docker-privileged:
        command: 'sed -i "s/docker run -d/docker run --privileged -d/" /opt/elasticbeanstalk/hooks/appdeploy/pre/04run.sh'

Answer 6

Update: This answer is obsolete as Docker now supports the docker run --sysctl option!

The solution I use for my OpenVPN container is to enter the container namespace with full capabilities using nsenter, remounting /proc/sys read-write temporarily, setting stuff up and remounting it read-only again.

Here an example, enabling IPv6 forwarding in the container:

CONTAINER_NAME=openvpn

# enable ipv6 forwarding via nsenter
container_pid=`docker inspect -f '{{.State.Pid}}' $CONTAINER_NAME`
nsenter --target $container_pid --mount --uts --ipc --net --pid \
   /bin/sh -c '/usr/bin/mount /proc/sys -o remount,rw;
               /usr/sbin/sysctl -q net.ipv6.conf.all.forwarding=1;
               /usr/bin/mount /proc/sys -o remount,ro;
               /usr/bin/mount /proc -o remount,rw # restore rw on /proc'

This way the container does not need to run privileged.