Skip to content

Commit e65d48d

Browse files
rosskirkpatrosskirkpat
committed
set NOFILE limits for systemd, improve error handling for pre-kubeadminit.sh
Signed-off-by: Ross Kirkpatrick <rosskirkpat@outlook.com>
1 parent a857b88 commit e65d48d

File tree

1 file changed

+51
-10
lines changed

1 file changed

+51
-10
lines changed

scripts/pre-kubeadminit.sh

Lines changed: 51 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,18 @@
11
#!/bin/bash
22
set -euo pipefail
3+
34
DEFAULT_CONTAINERD_VERSION=1.7.24
45
DEFAULT_CNI_PLUGIN_VERSIONS=1.6.2
56
CONTAINERD_VERSION="${CONTAINERD_VERSION:=$DEFAULT_CONTAINERD_VERSION}"
67
CNI_PLUGIN_VERSIONS="${CNI_PLUGIN_VERSIONS:=$DEFAULT_CNI_PLUGIN_VERSIONS}"
78

89
# setup containerd config
9-
mkdir -p -m 755 /etc/containerd
10+
# shellcheck disable=SC2174
11+
if ! mkdir -p -m 755 /etc/containerd ; then
12+
echo "Error: Failed to create directory /etc/containerd" >&2
13+
exit 1
14+
fi
15+
1016
cat > /etc/containerd/config.toml << EOF
1117
version = 2
1218
imports = ["/etc/containerd/conf.d/*.toml"]
@@ -25,15 +31,25 @@ EOF
2531

2632
chmod 644 /etc/containerd/config.toml
2733

28-
mkdir -p -m 755 /etc/modules-load.d
34+
# shellcheck disable=SC2174
35+
if ! mkdir -p -m 755 /etc/modules-load.d ; then
36+
echo "Error: Failed to create directory /etc/modules-load.d" >&2
37+
exit 1
38+
fi
39+
2940
cat > /etc/modules-load.d/k8s.conf << EOF
3041
overlay
3142
br_netfilter
3243
EOF
3344

3445
chmod 644 /etc/modules-load.d/k8s.conf
3546

36-
mkdir -p -m 755 /etc/sysctl.d
47+
# shellcheck disable=SC2174
48+
if ! mkdir -p -m 755 /etc/sysctl.d ; then
49+
echo "Error: Failed to create directory /etc/sysctl.d" >&2
50+
exit 1
51+
fi
52+
3753
cat > /etc/sysctl.d/k8s.conf << EOF
3854
net.bridge.bridge-nf-call-iptables = 1
3955
net.bridge.bridge-nf-call-ip6tables = 1
@@ -47,6 +63,20 @@ modprobe overlay
4763
modprobe br_netfilter
4864
sysctl --system
4965

66+
# shellcheck disable=SC2174
67+
if ! mkdir -p -m 755 /etc/systemd/system.conf.d ; then
68+
echo "Error: Failed to create directory /etc/systemd/system.conf.d" >&2
69+
exit 1
70+
fi
71+
72+
cat > /etc/systemd/system.conf.d/override.conf << EOF
73+
[Manager]
74+
# Set sane defaults for the NOFILE limits to support high-performance workloads:
75+
# - Soft limit (65535): Suitable for most containerized applications.
76+
# - Hard limit (1048576): Allows scaling for high-demand scenarios.
77+
DefaultLimitNOFILE=65535:1048576
78+
EOF
79+
5080
# containerd service
5181
cat > /usr/lib/systemd/system/containerd.service << EOF
5282
[Unit]
@@ -68,6 +98,7 @@ RestartSec=5
6898
# in the kernel. We recommend using cgroups to do container-local accounting.
6999
LimitNPROC=infinity
70100
LimitCORE=infinity
101+
LimitNOFILE=infinity
71102
72103
# Comment TasksMax if your systemd version does not supports it.
73104
# Only systemd 226 and above support this version.
@@ -96,7 +127,12 @@ RestartSec=10
96127
WantedBy=multi-user.target
97128
EOF
98129

99-
mkdir -p /usr/lib/systemd/system/kubelet.service.d
130+
# shellcheck disable=SC2174
131+
if ! mkdir -p -m 755 /usr/lib/systemd/system/kubelet.service.d ; then
132+
echo "Error: Failed to create directory /usr/lib/systemd/system/kubelet.service.d" >&2
133+
exit 1
134+
fi
135+
100136
cat > /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf << EOF
101137
# Note: This dropin only works with kubeadm and kubelet v1.11+
102138
[Service]
@@ -116,22 +152,26 @@ swapoff -a
116152
# check for required tools and only install missing tools
117153
REQUIRED_TOOLS=(runc socat conntrack ethtool iptables)
118154
INSTALL_TOOLS=()
119-
for tool in ${REQUIRED_TOOLS[*]}; do
155+
for tool in "${REQUIRED_TOOLS[@]}"; do
120156
echo "checking for ${tool}"
121-
if [ ! -x "$(command -v ${tool})" ]; then
157+
if [ ! -x "$(command -v "${tool}")" ]; then
122158
echo "${tool} is missing"
123-
INSTALL_TOOLS+=(${tool})
159+
INSTALL_TOOLS+=("${tool}")
124160
fi
125161
done
126162
export DEBIAN_FRONTEND=noninteractive
127163
apt-get update -y
128-
apt-get install -y ${INSTALL_TOOLS[*]}
164+
apt-get install -y "${INSTALL_TOOLS[@]}"
129165

130166
# install containerd
131167
curl -L "https://github.com/containerd/containerd/releases/download/v${CONTAINERD_VERSION}/containerd-${CONTAINERD_VERSION}-linux-amd64.tar.gz" | tar -C /usr/local -xz
132168

133169
# install cni plugins
134-
mkdir -p /opt/cni/bin
170+
if ! mkdir -p /opt/cni/bin ; then
171+
echo "Error: Failed to create directory /opt/cni/bin" >&2
172+
exit 1
173+
fi
174+
135175
curl -L "https://github.com/containernetworking/plugins/releases/download/v${CNI_PLUGIN_VERSIONS}/cni-plugins-linux-amd64-v${CNI_PLUGIN_VERSIONS}.tgz" | tar -C /opt/cni/bin -xz
136176
chown -R root:root /opt/cni
137177

@@ -143,9 +183,10 @@ curl -L "https://github.com/kubernetes-sigs/cri-tools/releases/download/v${VERSI
143183

144184
# install kubeadm,kubelet,kubectl
145185
cd /usr/local/bin
146-
curl -L --remote-name-all https://dl.k8s.io/release/$1/bin/linux/amd64/{kubeadm,kubelet}
186+
curl -L --remote-name-all "https://dl.k8s.io/release/$1/bin/linux/amd64/{kubeadm,kubelet}"
147187
curl -LO "https://dl.k8s.io/release/v${VERSION}.0/bin/linux/amd64/kubectl"
148188
chmod +x {kubeadm,kubelet,kubectl}
189+
149190
# reload systemd to pick up containerd & kubelet settings
150191
systemctl daemon-reload
151192
systemctl enable --now containerd kubelet

0 commit comments

Comments
 (0)