Set containerd LimitNOFILE at runtime to ensure ulimit consistency

divysinghvi · divysinghvi · commit 53645b294631 · 2025-11-26T11:33:48.000+05:30
diff --git a/pkg/minikube/cruntime/containerd.go b/pkg/minikube/cruntime/containerd.go
@@ -224,6 +224,51 @@ func generateContainerdConfig(cr CommandRunner, imageRepository string, kv semve
 	return nil
 }
 
+// setContainerdUlimit sets LimitNOFILE in containerd systemd service to match docker's default ulimit
+func setContainerdUlimit(cr CommandRunner) error {
+	// Check common locations for containerd.service file
+	servicePaths := []string{
+		"/lib/systemd/system/containerd.service",
+		"/usr/lib/systemd/system/containerd.service",
+		"/etc/systemd/system/containerd.service",
+	}
+
+	var serviceFile string
+	for _, path := range servicePaths {
+		if _, err := cr.RunCmd(exec.Command("sudo", "test", "-f", path)); err == nil {
+			serviceFile = path
+			break
+		}
+	}
+
+	if serviceFile == "" {
+		return errors.New("containerd.service file not found")
+	}
+
+	// Check if LimitNOFILE is already set
+	checkCmd := exec.Command("sh", "-c", fmt.Sprintf(`sudo grep -q "^LimitNOFILE=" %s`, serviceFile))
+	if _, err := cr.RunCmd(checkCmd); err == nil {
+		// LimitNOFILE already exists, update it
+		updateCmd := exec.Command("sh", "-c", fmt.Sprintf(`sudo sed -i 's/^LimitNOFILE=.*/LimitNOFILE=1048576/' %s`, serviceFile))
+		if _, err := cr.RunCmd(updateCmd); err != nil {
+			return errors.Wrap(err, "updating LimitNOFILE in containerd.service")
+		}
+	} else {
+		// LimitNOFILE doesn't exist, add it after [Service]
+		addCmd := exec.Command("sh", "-c", fmt.Sprintf(`sudo sed -i '/^\[Service\]/a LimitNOFILE=1048576' %s`, serviceFile))
+		if _, err := cr.RunCmd(addCmd); err != nil {
+			return errors.Wrap(err, "adding LimitNOFILE to containerd.service")
+		}
+	}
+
+	// Reload systemd to pick up the changes
+	if _, err := cr.RunCmd(exec.Command("sudo", "systemctl", "daemon-reload")); err != nil {
+		return errors.Wrap(err, "reloading systemd after containerd.service modification")
+	}
+
+	return nil
+}
+
 // Enable idempotently enables containerd on a host
 // It is also called by docker.Enable() - if bound to containerd, to enforce proper containerd configuration completed by service restart.
 func (r *Containerd) Enable(disOthers bool, cgroupDriver string, inUserNamespace bool) error {
@@ -249,6 +294,13 @@ func (r *Containerd) Enable(disOthers bool, cgroupDriver string, inUserNamespace
 	if err := generateContainerdConfig(r.Runner, r.ImageRepository, r.KubernetesVersion, cgroupDriver, r.InsecureRegistry, inUserNamespace); err != nil {
 		return err
 	}
+
+	// Set LimitNOFILE for containerd to match docker's default ulimit (1048576)
+	// This ensures consistent file descriptor limits across container runtimes
+	if err := setContainerdUlimit(r.Runner); err != nil {
+		klog.Warningf("failed to set containerd ulimit: %v", err)
+	}
+
 	if err := enableIPForwarding(r.Runner); err != nil {
 		return err
 	}
