Server settings for a LXD production setup¶
To allow your LXD server to run a large number of instances, configure the following settings to avoid hitting server limits.
The Value column contains the suggested value for each parameter.
/etc/security/limits.conf¶
Note
For users of the snap, those limits are automatically raised.
Domain |
Type |
Item |
Value |
Default |
Description |
|---|---|---|---|---|---|
|
soft |
|
|
unset |
Maximum number of open files |
|
hard |
|
|
unset |
Maximum number of open files |
|
soft |
|
|
unset |
Maximum number of open files |
|
hard |
|
|
unset |
Maximum number of open files |
|
soft |
|
|
unset |
Maximum locked-in-memory address space (KB) |
|
hard |
|
|
unset |
Maximum locked-in-memory address space (KB) |
|
soft |
|
|
unset |
Maximum locked-in-memory address space (KB), only need with |
|
hard |
|
|
unset |
Maximum locked-in-memory address space (KB), only need with |
/etc/sysctl.conf¶
Note
Reboot the server after changing any of these parameters.
| Key: | fs.aio-max-nr |
| Type: | integer |
| Default: |
|
Suggested value: 524288
You might need to increase this limit further if you have a lot of workloads that use the AIO subsystem (for example, MySQL).
| Key: | fs.inotify.max_queued_events |
| Type: | integer |
| Default: |
|
Suggested value: 1048576
This option specifies the maximum number of events that can be queued to the corresponding inotify instance (see inotify for more information).
| Key: | fs.inotify.max_user_instances |
| Type: | integer |
| Default: |
|
Suggested value: 1048576
This option specifies the maximum number of inotify instances that can be created per real user ID (see inotify for more information).
| Key: | fs.inotify.max_user_watches |
| Type: | integer |
| Default: |
|
Suggested value: 1048576
This option specifies the maximum number of watches that can be created per real user ID (see inotify for more information).
| Key: | kernel.dmesg_restrict |
| Type: | integer |
| Default: |
|
Suggested value: 1
Set this option to 1 to deny container access to the messages in the kernel ring buffer.
Note that setting this value to 1 will also deny access to non-root users on the host system.
| Key: | kernel.keys.maxbytes |
| Type: | integer |
| Default: |
|
Suggested value: 2000000
| Key: | kernel.keys.maxkeys |
| Type: | integer |
| Default: |
|
Suggested value: 2000
Set this option to a value that is higher than the number of instances.
| Key: | net.core.bpf_jit_limit |
| Type: | integer |
| Default: | varies |
Suggested value: 1000000000
On kernels < 5.15 that are compiled with CONFIG_BPF_JIT_ALWAYS_ON=y, this value might limit the amount of instances that can be created.
| Key: | net.ipv4.neigh.default.gc_thresh3 |
| Type: | integer |
| Default: |
|
Suggested value: 8192
Increase this value if you plan to create over 1024 instances.
Otherwise, you will get the error neighbour: ndisc_cache: neighbor table overflow! when the ARP table gets full and the instances cannot get a network configuration.
See ip-sysctl for more information.
| Key: | net.ipv6.neigh.default.gc_thresh3 |
| Type: | integer |
| Default: |
|
Suggested value: 8192
Increase this value if you plan to create over 1024 instances.
Otherwise, you will get the error neighbour: ndisc_cache: neighbor table overflow! when the ARP table gets full and the instances cannot get a network configuration.
See ip-sysctl for more information.