diff --git a/salt/common/files/daemon.json b/salt/common/files/daemon.json index bc6c85745..6acc28fac 100644 --- a/salt/common/files/daemon.json +++ b/salt/common/files/daemon.json @@ -1,3 +1,4 @@ +{% from 'docker/docker.map.jinja' import DOCKER -%} { "registry-mirrors": [ "https://:5000" @@ -8,12 +9,16 @@ "base": "172.17.0.0/24", "size": 24 } - ], + ] +{%- if DOCKER.default_ulimits %}, "default-ulimits": { - "nofile": { - "Name": "nofile", - "Soft": 1048576, - "Hard": 1048576 - } +{%- for ULIMIT in DOCKER.default_ulimits %} + "{{ ULIMIT.name }}": { + "Name": "{{ ULIMIT.name }}", + "Soft": {{ ULIMIT.soft }}, + "Hard": {{ ULIMIT.hard }} + }{{ "," if not loop.last else "" }} +{%- endfor %} } +{%- endif %} } diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 064e13f9f..c724d6543 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -1,6 +1,10 @@ docker: range: '172.17.1.0/24' gateway: '172.17.1.1' + default_ulimits: + - name: nofile + soft: 1048576 + hard: 1048576 containers: 'so-dockerregistry': final_octet: 20 @@ -27,9 +31,15 @@ docker: extra_hosts: [] extra_env: [] ulimits: - - memlock=-1:-1 - - nofile=65536:65536 - - nproc=4096 + - name: memlock + soft: -1 + hard: -1 + - name: nofile + soft: 65536 + hard: 65536 + - name: nproc + soft: 4096 + hard: 4096 'so-influxdb': final_octet: 26 port_bindings: @@ -207,15 +217,21 @@ docker: extra_hosts: [] extra_env: [] ulimits: - - memlock=524288000 + - name: memlock + soft: 524288000 + hard: 524288000 'so-zeek': final_octet: 99 custom_bind_mounts: [] extra_hosts: [] extra_env: [] ulimits: - - core=0 - - nofile=1048576:1048576 + - name: core + soft: 0 + hard: 0 + - name: nofile + soft: 1048576 + hard: 1048576 'so-kafka': final_octet: 88 port_bindings: diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml index e0d7553a4..466a60d12 100644 --- a/salt/docker/soc_docker.yaml +++ b/salt/docker/soc_docker.yaml @@ -7,6 +7,22 @@ docker: description: Default docker IP range for containers. helpLink: docker.html advanced: True + default_ulimits: + description: Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. + advanced: True + helpLink: docker.html + forcedType: "[]{}" + syntax: json + uiElements: + - field: name + label: Resource Name + required: True + - field: soft + label: Soft Limit + forcedType: int + - field: hard + label: Hard Limit + forcedType: int containers: so-dockerregistry: &dockerOptions final_octet: @@ -40,11 +56,21 @@ docker: multiline: True forcedType: "[]string" ulimits: - description: Ulimits for the container. + description: Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. advanced: True helpLink: docker.html - multiline: True - forcedType: "[]string" + forcedType: "[]{}" + syntax: json + uiElements: + - field: name + label: Resource Name + required: True + - field: soft + label: Soft Limit + forcedType: int + - field: hard + label: Hard Limit + forcedType: int so-elastic-fleet: *dockerOptions so-elasticsearch: *dockerOptions so-influxdb: *dockerOptions diff --git a/salt/elastalert/enabled.sls b/salt/elastalert/enabled.sls index a60c6708f..1ed84653f 100644 --- a/salt/elastalert/enabled.sls +++ b/salt/elastalert/enabled.sls @@ -54,7 +54,7 @@ so-elastalert: {% if DOCKER.containers['so-elastalert'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-elastalert'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - require: diff --git a/salt/elastic-fleet-package-registry/enabled.sls b/salt/elastic-fleet-package-registry/enabled.sls index 60aae7c93..d0309c73a 100644 --- a/salt/elastic-fleet-package-registry/enabled.sls +++ b/salt/elastic-fleet-package-registry/enabled.sls @@ -48,7 +48,7 @@ so-elastic-fleet-package-registry: {% if DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} delete_so-elastic-fleet-package-registry_so-status.disabled: diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index 0bd65905e..dcb7ee6af 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -57,7 +57,7 @@ so-elastic-agent: {% if DOCKER.containers['so-elastic-agent'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-elastic-agent'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - require: diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index f151d29ce..af7c4c705 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -136,7 +136,7 @@ so-elastic-fleet: {% if DOCKER.containers['so-elastic-fleet'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-elastic-fleet'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index 791639546..24db91042 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -53,7 +53,7 @@ so-elasticsearch: {% if DOCKER.containers['so-elasticsearch'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-elasticsearch'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - port_bindings: diff --git a/salt/hydra/enabled.sls b/salt/hydra/enabled.sls index 3bb3f03b1..0c80ce507 100644 --- a/salt/hydra/enabled.sls +++ b/salt/hydra/enabled.sls @@ -55,7 +55,7 @@ so-hydra: {% if DOCKER.containers['so-hydra'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-hydra'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - restart_policy: unless-stopped diff --git a/salt/idh/enabled.sls b/salt/idh/enabled.sls index ed4bf835f..2926d5b89 100644 --- a/salt/idh/enabled.sls +++ b/salt/idh/enabled.sls @@ -42,7 +42,7 @@ so-idh: {% if DOCKER.containers['so-idh'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-idh'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/influxdb/enabled.sls b/salt/influxdb/enabled.sls index 18c52dff3..190a577fa 100644 --- a/salt/influxdb/enabled.sls +++ b/salt/influxdb/enabled.sls @@ -61,7 +61,7 @@ so-influxdb: {% if DOCKER.containers['so-influxdb'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-influxdb'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/kafka/enabled.sls b/salt/kafka/enabled.sls index 4c431c2ca..8ce4908b9 100644 --- a/salt/kafka/enabled.sls +++ b/salt/kafka/enabled.sls @@ -63,7 +63,7 @@ so-kafka: {% if DOCKER.containers['so-kafka'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-kafka'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/kibana/enabled.sls b/salt/kibana/enabled.sls index 3b0e770bd..5ecee91cc 100644 --- a/salt/kibana/enabled.sls +++ b/salt/kibana/enabled.sls @@ -54,7 +54,7 @@ so-kibana: {% if DOCKER.containers['so-kibana'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-kibana'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/kratos/enabled.sls b/salt/kratos/enabled.sls index 1df8f1f0d..a9db742de 100644 --- a/salt/kratos/enabled.sls +++ b/salt/kratos/enabled.sls @@ -48,7 +48,7 @@ so-kratos: {% if DOCKER.containers['so-kratos'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-kratos'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - restart_policy: unless-stopped diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index 58d4733e3..137762ff9 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -99,7 +99,7 @@ so-logstash: {% if DOCKER.containers['so-logstash'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-logstash'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 5cfc9634e..578ad6315 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -78,7 +78,7 @@ so-nginx: {% if DOCKER.containers[container_config].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers[container_config].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - cap_add: NET_BIND_SERVICE diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls index a22e0dea0..29ad4f884 100644 --- a/salt/redis/enabled.sls +++ b/salt/redis/enabled.sls @@ -54,7 +54,7 @@ so-redis: {% if DOCKER.containers['so-redis'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-redis'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - entrypoint: "redis-server /usr/local/etc/redis/redis.conf" diff --git a/salt/registry/enabled.sls b/salt/registry/enabled.sls index 71d04897b..de747d961 100644 --- a/salt/registry/enabled.sls +++ b/salt/registry/enabled.sls @@ -54,7 +54,7 @@ so-dockerregistry: {% if DOCKER.containers['so-dockerregistry'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-dockerregistry'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - retry: diff --git a/salt/sensoroni/enabled.sls b/salt/sensoroni/enabled.sls index d9b79b8fe..e13a88342 100644 --- a/salt/sensoroni/enabled.sls +++ b/salt/sensoroni/enabled.sls @@ -43,7 +43,7 @@ so-sensoroni: {% if DOCKER.containers['so-sensoroni'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-sensoroni'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index 2204c1ae4..d6e44d7ab 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -81,7 +81,7 @@ so-soc: {% if DOCKER.containers['so-soc'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-soc'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/strelka/backend/enabled.sls b/salt/strelka/backend/enabled.sls index 954945728..681819401 100644 --- a/salt/strelka/backend/enabled.sls +++ b/salt/strelka/backend/enabled.sls @@ -44,7 +44,7 @@ strelka_backend: {% if DOCKER.containers['so-strelka-backend'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-strelka-backend'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - restart_policy: on-failure diff --git a/salt/strelka/coordinator/enabled.sls b/salt/strelka/coordinator/enabled.sls index bb4fcaabd..5178ea2e2 100644 --- a/salt/strelka/coordinator/enabled.sls +++ b/salt/strelka/coordinator/enabled.sls @@ -47,7 +47,7 @@ strelka_coordinator: {% if DOCKER.containers['so-strelka-coordinator'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-strelka-coordinator'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} delete_so-strelka-coordinator_so-status.disabled: diff --git a/salt/strelka/filestream/enabled.sls b/salt/strelka/filestream/enabled.sls index 6cbed9a6a..af538290e 100644 --- a/salt/strelka/filestream/enabled.sls +++ b/salt/strelka/filestream/enabled.sls @@ -44,7 +44,7 @@ strelka_filestream: {% if DOCKER.containers['so-strelka-filestream'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-strelka-filestream'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/strelka/frontend/enabled.sls b/salt/strelka/frontend/enabled.sls index f595015f2..5ded5c302 100644 --- a/salt/strelka/frontend/enabled.sls +++ b/salt/strelka/frontend/enabled.sls @@ -49,7 +49,7 @@ strelka_frontend: {% if DOCKER.containers['so-strelka-frontend'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-strelka-frontend'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/strelka/gatekeeper/enabled.sls b/salt/strelka/gatekeeper/enabled.sls index d8301f63d..83b476677 100644 --- a/salt/strelka/gatekeeper/enabled.sls +++ b/salt/strelka/gatekeeper/enabled.sls @@ -47,7 +47,7 @@ strelka_gatekeeper: {% if DOCKER.containers['so-strelka-gatekeeper'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-strelka-gatekeeper'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} diff --git a/salt/strelka/manager/enabled.sls b/salt/strelka/manager/enabled.sls index 0f28f8ae9..12d2b113a 100644 --- a/salt/strelka/manager/enabled.sls +++ b/salt/strelka/manager/enabled.sls @@ -43,7 +43,7 @@ strelka_manager: {% if DOCKER.containers['so-strelka-manager'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-strelka-manager'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index ec521abb3..71eaaccf5 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -29,7 +29,7 @@ so-suricata: {% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKER.containers['so-suricata'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-suricata'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - binds: diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls index bdca9b8d5..ab9b5bc1d 100644 --- a/salt/telegraf/enabled.sls +++ b/salt/telegraf/enabled.sls @@ -69,7 +69,7 @@ so-telegraf: {% if DOCKER.containers['so-telegraf'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-telegraf'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/zeek/enabled.sls b/salt/zeek/enabled.sls index 0c7b98fb9..d0a423c2f 100644 --- a/salt/zeek/enabled.sls +++ b/salt/zeek/enabled.sls @@ -21,7 +21,7 @@ so-zeek: {% if DOCKER.containers['so-zeek'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-zeek'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - binds: