1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
(server-settings)=
# Server settings for an Incus production setup
To allow your Incus server to run a large number of instances, configure the following settings to avoid hitting server limits.
The `Value` column contains the suggested value for each parameter.
## `/etc/security/limits.conf`
Domain | Type | Item | Value | Default | Description
:----- | :--- | :---- | :---------- | :-------- | :----------
`*` | soft | `nofile` | `1048576` | unset | Maximum number of open files
`*` | hard | `nofile` | `1048576` | unset | Maximum number of open files
`root` | soft | `nofile` | `1048576` | unset | Maximum number of open files
`root` | hard | `nofile` | `1048576` | unset | Maximum number of open files
`*` | soft | `memlock` | `unlimited` | unset | Maximum locked-in-memory address space (KB)
`*` | hard | `memlock` | `unlimited` | unset | Maximum locked-in-memory address space (KB)
`root` | soft | `memlock` | `unlimited` | unset | Maximum locked-in-memory address space (KB), only need with `bpf` syscall supervision
`root` | hard | `memlock` | `unlimited` | unset | Maximum locked-in-memory address space (KB), only need with `bpf` syscall supervision
## `/etc/sysctl.conf`
```{note}
Reboot the server after changing any of these parameters.
```
Parameter | Value | Default | Description
:----- | :--- | :--- | :---
`fs.aio-max-nr` | `524288` | `65536` | Maximum number of concurrent asynchronous I/O operations (you might need to increase this limit further if you have a lot of workloads that use the AIO subsystem, for example, MySQL)
`fs.inotify.max_queued_events` | `1048576` | `16384` | Upper limit on the number of events that can be queued to the corresponding `inotify` instance (see [`inotify`](https://man7.org/linux/man-pages/man7/inotify.7.html))
`fs.inotify.max_user_instances` | `1048576` | `128` | Upper limit on the number of `inotify` instances that can be created per real user ID (see [`inotify`](https://man7.org/linux/man-pages/man7/inotify.7.html))
`fs.inotify.max_user_watches` | `1048576` | `8192` | Upper limit on the number of watches that can be created per real user ID (see [`inotify`](https://man7.org/linux/man-pages/man7/inotify.7.html))
`kernel.dmesg_restrict` | `1` | `0` | Whether to deny container access to the messages in the kernel ring buffer (note that this will also deny access to non-root users on the host system)
`kernel.keys.maxbytes` | `2000000` | `20000` | Maximum size of the key ring that non-root users can use
`kernel.keys.maxkeys` | `2000` | `200` | Maximum number of keys that a non-root user can use (the value should be higher than the number of instances)
`net.core.bpf_jit_limit` | `1000000000` | varies | Limit on the size of eBPF JIT allocations (on kernels < 5.15 that are compiled with `CONFIG_BPF_JIT_ALWAYS_ON=y`, this value might limit the amount of instances that can be created)
`net.ipv4.neigh.default.gc_thresh3` | `8192` | `1024` | Maximum number of entries in the IPv4 ARP table (increase this value if you plan to create over 1024 instances - otherwise, you will get the error `neighbour: ndisc_cache: neighbor table overflow!` when the ARP table gets full and the instances cannot get a network configuration; see [`ip-sysctl`](https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt))
`net.ipv6.neigh.default.gc_thresh3` | `8192` | `1024` | Maximum number of entries in IPv6 ARP table (increase this value if you plan to create over 1024 instances - otherwise, you will get the error `neighbour: ndisc_cache: neighbor table overflow!` when the ARP table gets full and the instances cannot get a network configuration; see [`ip-sysctl`](https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt))
`vm.max_map_count` | `262144` | `65530` | Maximum number of memory map areas a process may have (memory map areas are used as a side-effect of calling `malloc`, directly by `mmap` and `mprotect`, and also when loading shared libraries)
|
