From 350588f080c50d5fcf3a5d5a84e80ec7d34d0e47 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 17 Mar 2026 16:51:04 -0400 Subject: [PATCH] Change ulimits to structured dict format and add daemon.json ulimit support Convert ulimits from flat strings to structured dicts with name, soft, and hard fields for better UI experience. Add default_ulimits as a configurable setting that dynamically renders into daemon.json, giving two layers of control: global defaults via the daemon and per-container overrides. --- salt/common/files/daemon.json | 17 ++++++---- salt/docker/defaults.yaml | 28 ++++++++++++---- salt/docker/soc_docker.yaml | 32 +++++++++++++++++-- salt/elastalert/enabled.sls | 2 +- .../enabled.sls | 2 +- salt/elasticagent/enabled.sls | 2 +- salt/elasticfleet/enabled.sls | 2 +- salt/elasticsearch/enabled.sls | 2 +- salt/hydra/enabled.sls | 2 +- salt/idh/enabled.sls | 2 +- salt/influxdb/enabled.sls | 2 +- salt/kafka/enabled.sls | 2 +- salt/kibana/enabled.sls | 2 +- salt/kratos/enabled.sls | 2 +- salt/logstash/enabled.sls | 2 +- salt/nginx/enabled.sls | 2 +- salt/redis/enabled.sls | 2 +- salt/registry/enabled.sls | 2 +- salt/sensoroni/enabled.sls | 2 +- salt/soc/enabled.sls | 2 +- salt/strelka/backend/enabled.sls | 2 +- salt/strelka/coordinator/enabled.sls | 2 +- salt/strelka/filestream/enabled.sls | 2 +- salt/strelka/frontend/enabled.sls | 2 +- salt/strelka/gatekeeper/enabled.sls | 2 +- salt/strelka/manager/enabled.sls | 2 +- salt/suricata/enabled.sls | 2 +- salt/telegraf/enabled.sls | 2 +- salt/zeek/enabled.sls | 2 +- 29 files changed, 88 insertions(+), 41 deletions(-) diff --git a/salt/common/files/daemon.json b/salt/common/files/daemon.json index bc6c85745..6acc28fac 100644 --- a/salt/common/files/daemon.json +++ b/salt/common/files/daemon.json @@ -1,3 +1,4 @@ +{% from 'docker/docker.map.jinja' import DOCKER -%} { "registry-mirrors": [ "https://:5000" @@ -8,12 +9,16 @@ "base": "172.17.0.0/24", "size": 24 } - ], + ] +{%- if DOCKER.default_ulimits %}, "default-ulimits": { - "nofile": { - "Name": "nofile", - "Soft": 1048576, - "Hard": 1048576 - } +{%- for ULIMIT in DOCKER.default_ulimits %} + "{{ ULIMIT.name }}": { + "Name": "{{ ULIMIT.name }}", + "Soft": {{ ULIMIT.soft }}, + "Hard": {{ ULIMIT.hard }} + }{{ "," if not loop.last else "" }} +{%- endfor %} } +{%- endif %} } diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 064e13f9f..c724d6543 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -1,6 +1,10 @@ docker: range: '172.17.1.0/24' gateway: '172.17.1.1' + default_ulimits: + - name: nofile + soft: 1048576 + hard: 1048576 containers: 'so-dockerregistry': final_octet: 20 @@ -27,9 +31,15 @@ docker: extra_hosts: [] extra_env: [] ulimits: - - memlock=-1:-1 - - nofile=65536:65536 - - nproc=4096 + - name: memlock + soft: -1 + hard: -1 + - name: nofile + soft: 65536 + hard: 65536 + - name: nproc + soft: 4096 + hard: 4096 'so-influxdb': final_octet: 26 port_bindings: @@ -207,15 +217,21 @@ docker: extra_hosts: [] extra_env: [] ulimits: - - memlock=524288000 + - name: memlock + soft: 524288000 + hard: 524288000 'so-zeek': final_octet: 99 custom_bind_mounts: [] extra_hosts: [] extra_env: [] ulimits: - - core=0 - - nofile=1048576:1048576 + - name: core + soft: 0 + hard: 0 + - name: nofile + soft: 1048576 + hard: 1048576 'so-kafka': final_octet: 88 port_bindings: diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml index e0d7553a4..466a60d12 100644 --- a/salt/docker/soc_docker.yaml +++ b/salt/docker/soc_docker.yaml @@ -7,6 +7,22 @@ docker: description: Default docker IP range for containers. helpLink: docker.html advanced: True + default_ulimits: + description: Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. + advanced: True + helpLink: docker.html + forcedType: "[]{}" + syntax: json + uiElements: + - field: name + label: Resource Name + required: True + - field: soft + label: Soft Limit + forcedType: int + - field: hard + label: Hard Limit + forcedType: int containers: so-dockerregistry: &dockerOptions final_octet: @@ -40,11 +56,21 @@ docker: multiline: True forcedType: "[]string" ulimits: - description: Ulimits for the container. + description: Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. advanced: True helpLink: docker.html - multiline: True - forcedType: "[]string" + forcedType: "[]{}" + syntax: json + uiElements: + - field: name + label: Resource Name + required: True + - field: soft + label: Soft Limit + forcedType: int + - field: hard + label: Hard Limit + forcedType: int so-elastic-fleet: *dockerOptions so-elasticsearch: *dockerOptions so-influxdb: *dockerOptions diff --git a/salt/elastalert/enabled.sls b/salt/elastalert/enabled.sls index a60c6708f..1ed84653f 100644 --- a/salt/elastalert/enabled.sls +++ b/salt/elastalert/enabled.sls @@ -54,7 +54,7 @@ so-elastalert: {% if DOCKER.containers['so-elastalert'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-elastalert'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - require: diff --git a/salt/elastic-fleet-package-registry/enabled.sls b/salt/elastic-fleet-package-registry/enabled.sls index 60aae7c93..d0309c73a 100644 --- a/salt/elastic-fleet-package-registry/enabled.sls +++ b/salt/elastic-fleet-package-registry/enabled.sls @@ -48,7 +48,7 @@ so-elastic-fleet-package-registry: {% if DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} delete_so-elastic-fleet-package-registry_so-status.disabled: diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index 0bd65905e..dcb7ee6af 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -57,7 +57,7 @@ so-elastic-agent: {% if DOCKER.containers['so-elastic-agent'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-elastic-agent'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - require: diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index f151d29ce..af7c4c705 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -136,7 +136,7 @@ so-elastic-fleet: {% if DOCKER.containers['so-elastic-fleet'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-elastic-fleet'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index 791639546..24db91042 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -53,7 +53,7 @@ so-elasticsearch: {% if DOCKER.containers['so-elasticsearch'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-elasticsearch'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - port_bindings: diff --git a/salt/hydra/enabled.sls b/salt/hydra/enabled.sls index 3bb3f03b1..0c80ce507 100644 --- a/salt/hydra/enabled.sls +++ b/salt/hydra/enabled.sls @@ -55,7 +55,7 @@ so-hydra: {% if DOCKER.containers['so-hydra'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-hydra'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - restart_policy: unless-stopped diff --git a/salt/idh/enabled.sls b/salt/idh/enabled.sls index ed4bf835f..2926d5b89 100644 --- a/salt/idh/enabled.sls +++ b/salt/idh/enabled.sls @@ -42,7 +42,7 @@ so-idh: {% if DOCKER.containers['so-idh'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-idh'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/influxdb/enabled.sls b/salt/influxdb/enabled.sls index 18c52dff3..190a577fa 100644 --- a/salt/influxdb/enabled.sls +++ b/salt/influxdb/enabled.sls @@ -61,7 +61,7 @@ so-influxdb: {% if DOCKER.containers['so-influxdb'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-influxdb'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/kafka/enabled.sls b/salt/kafka/enabled.sls index 4c431c2ca..8ce4908b9 100644 --- a/salt/kafka/enabled.sls +++ b/salt/kafka/enabled.sls @@ -63,7 +63,7 @@ so-kafka: {% if DOCKER.containers['so-kafka'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-kafka'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/kibana/enabled.sls b/salt/kibana/enabled.sls index 3b0e770bd..5ecee91cc 100644 --- a/salt/kibana/enabled.sls +++ b/salt/kibana/enabled.sls @@ -54,7 +54,7 @@ so-kibana: {% if DOCKER.containers['so-kibana'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-kibana'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/kratos/enabled.sls b/salt/kratos/enabled.sls index 1df8f1f0d..a9db742de 100644 --- a/salt/kratos/enabled.sls +++ b/salt/kratos/enabled.sls @@ -48,7 +48,7 @@ so-kratos: {% if DOCKER.containers['so-kratos'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-kratos'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - restart_policy: unless-stopped diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index 58d4733e3..137762ff9 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -99,7 +99,7 @@ so-logstash: {% if DOCKER.containers['so-logstash'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-logstash'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 5cfc9634e..578ad6315 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -78,7 +78,7 @@ so-nginx: {% if DOCKER.containers[container_config].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers[container_config].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - cap_add: NET_BIND_SERVICE diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls index a22e0dea0..29ad4f884 100644 --- a/salt/redis/enabled.sls +++ b/salt/redis/enabled.sls @@ -54,7 +54,7 @@ so-redis: {% if DOCKER.containers['so-redis'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-redis'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - entrypoint: "redis-server /usr/local/etc/redis/redis.conf" diff --git a/salt/registry/enabled.sls b/salt/registry/enabled.sls index 71d04897b..de747d961 100644 --- a/salt/registry/enabled.sls +++ b/salt/registry/enabled.sls @@ -54,7 +54,7 @@ so-dockerregistry: {% if DOCKER.containers['so-dockerregistry'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-dockerregistry'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - retry: diff --git a/salt/sensoroni/enabled.sls b/salt/sensoroni/enabled.sls index d9b79b8fe..e13a88342 100644 --- a/salt/sensoroni/enabled.sls +++ b/salt/sensoroni/enabled.sls @@ -43,7 +43,7 @@ so-sensoroni: {% if DOCKER.containers['so-sensoroni'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-sensoroni'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index 2204c1ae4..d6e44d7ab 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -81,7 +81,7 @@ so-soc: {% if DOCKER.containers['so-soc'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-soc'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/strelka/backend/enabled.sls b/salt/strelka/backend/enabled.sls index 954945728..681819401 100644 --- a/salt/strelka/backend/enabled.sls +++ b/salt/strelka/backend/enabled.sls @@ -44,7 +44,7 @@ strelka_backend: {% if DOCKER.containers['so-strelka-backend'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-strelka-backend'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - restart_policy: on-failure diff --git a/salt/strelka/coordinator/enabled.sls b/salt/strelka/coordinator/enabled.sls index bb4fcaabd..5178ea2e2 100644 --- a/salt/strelka/coordinator/enabled.sls +++ b/salt/strelka/coordinator/enabled.sls @@ -47,7 +47,7 @@ strelka_coordinator: {% if DOCKER.containers['so-strelka-coordinator'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-strelka-coordinator'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} delete_so-strelka-coordinator_so-status.disabled: diff --git a/salt/strelka/filestream/enabled.sls b/salt/strelka/filestream/enabled.sls index 6cbed9a6a..af538290e 100644 --- a/salt/strelka/filestream/enabled.sls +++ b/salt/strelka/filestream/enabled.sls @@ -44,7 +44,7 @@ strelka_filestream: {% if DOCKER.containers['so-strelka-filestream'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-strelka-filestream'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/strelka/frontend/enabled.sls b/salt/strelka/frontend/enabled.sls index f595015f2..5ded5c302 100644 --- a/salt/strelka/frontend/enabled.sls +++ b/salt/strelka/frontend/enabled.sls @@ -49,7 +49,7 @@ strelka_frontend: {% if DOCKER.containers['so-strelka-frontend'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-strelka-frontend'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/strelka/gatekeeper/enabled.sls b/salt/strelka/gatekeeper/enabled.sls index d8301f63d..83b476677 100644 --- a/salt/strelka/gatekeeper/enabled.sls +++ b/salt/strelka/gatekeeper/enabled.sls @@ -47,7 +47,7 @@ strelka_gatekeeper: {% if DOCKER.containers['so-strelka-gatekeeper'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-strelka-gatekeeper'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} diff --git a/salt/strelka/manager/enabled.sls b/salt/strelka/manager/enabled.sls index 0f28f8ae9..12d2b113a 100644 --- a/salt/strelka/manager/enabled.sls +++ b/salt/strelka/manager/enabled.sls @@ -43,7 +43,7 @@ strelka_manager: {% if DOCKER.containers['so-strelka-manager'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-strelka-manager'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index ec521abb3..71eaaccf5 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -29,7 +29,7 @@ so-suricata: {% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKER.containers['so-suricata'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-suricata'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - binds: diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls index bdca9b8d5..ab9b5bc1d 100644 --- a/salt/telegraf/enabled.sls +++ b/salt/telegraf/enabled.sls @@ -69,7 +69,7 @@ so-telegraf: {% if DOCKER.containers['so-telegraf'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-telegraf'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/zeek/enabled.sls b/salt/zeek/enabled.sls index 0c7b98fb9..d0a423c2f 100644 --- a/salt/zeek/enabled.sls +++ b/salt/zeek/enabled.sls @@ -21,7 +21,7 @@ so-zeek: {% if DOCKER.containers['so-zeek'].ulimits %} - ulimits: {% for ULIMIT in DOCKER.containers['so-zeek'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - binds: