From e19e83bebbeb0c159fc75388c49ecad8d7ffa8e8 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 18 Mar 2026 10:38:15 -0400 Subject: [PATCH] allow user defined ulimits --- salt/docker/defaults.yaml | 29 ++++++++++++----- salt/docker/files/daemon.json | 19 ----------- salt/docker/files/daemon.json.jinja | 24 ++++++++++++++ salt/docker/init.sls | 6 ++-- salt/docker/soc_docker.yaml | 32 +++++++++++++++++-- salt/elastalert/enabled.sls | 2 +- .../enabled.sls | 2 +- salt/elasticagent/enabled.sls | 2 +- salt/elasticfleet/enabled.sls | 2 +- salt/elasticsearch/enabled.sls | 2 +- salt/hydra/enabled.sls | 2 +- salt/idh/enabled.sls | 2 +- salt/influxdb/enabled.sls | 2 +- salt/kafka/enabled.sls | 2 +- salt/kibana/enabled.sls | 2 +- salt/kratos/enabled.sls | 2 +- salt/logstash/enabled.sls | 2 +- salt/nginx/enabled.sls | 2 +- salt/redis/enabled.sls | 2 +- salt/registry/enabled.sls | 2 +- salt/sensoroni/enabled.sls | 2 +- salt/soc/enabled.sls | 2 +- salt/strelka/backend/enabled.sls | 2 +- salt/strelka/coordinator/enabled.sls | 2 +- salt/strelka/filestream/enabled.sls | 2 +- salt/strelka/frontend/enabled.sls | 2 +- salt/strelka/gatekeeper/enabled.sls | 2 +- salt/strelka/manager/enabled.sls | 2 +- salt/suricata/enabled.sls | 2 +- salt/telegraf/enabled.sls | 2 +- salt/zeek/enabled.sls | 2 +- 31 files changed, 103 insertions(+), 59 deletions(-) delete mode 100644 salt/docker/files/daemon.json create mode 100644 salt/docker/files/daemon.json.jinja diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index e1962ae91..a2539adcd 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -2,8 +2,9 @@ docker: range: '172.17.1.0/24' gateway: '172.17.1.1' ulimits: - soft: 1048576 - hard: 1048576 + - name: nofile + soft: 1048576 + hard: 1048576 containers: 'so-dockerregistry': final_octet: 20 @@ -30,9 +31,15 @@ docker: extra_hosts: [] extra_env: [] ulimits: - - memlock=-1:-1 - - nofile=65536:65536 - - nproc=4096 + - name: memlock + soft: -1 + hard: -1 + - name: nofile + soft: 65536 + hard: 65536 + - name: nproc + soft: 4096 + hard: 4096 'so-influxdb': final_octet: 26 port_bindings: @@ -210,15 +217,21 @@ docker: extra_hosts: [] extra_env: [] ulimits: - - memlock=524288000 + - name: memlock + soft: 524288000 + hard: 524288000 'so-zeek': final_octet: 99 custom_bind_mounts: [] extra_hosts: [] extra_env: [] ulimits: - - core=0 - - nofile=1048576:1048576 + - name: core + soft: 0 + hard: 0 + - name: nofile + soft: 1048576 + hard: 1048576 'so-kafka': final_octet: 88 port_bindings: diff --git a/salt/docker/files/daemon.json b/salt/docker/files/daemon.json deleted file mode 100644 index bc6c85745..000000000 --- a/salt/docker/files/daemon.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "registry-mirrors": [ - "https://:5000" - ], - "bip": "172.17.0.1/24", - "default-address-pools": [ - { - "base": "172.17.0.0/24", - "size": 24 - } - ], - "default-ulimits": { - "nofile": { - "Name": "nofile", - "Soft": 1048576, - "Hard": 1048576 - } - } -} diff --git a/salt/docker/files/daemon.json.jinja b/salt/docker/files/daemon.json.jinja new file mode 100644 index 000000000..ea4a5a4bb --- /dev/null +++ b/salt/docker/files/daemon.json.jinja @@ -0,0 +1,24 @@ +{% from 'docker/docker.map.jinja' import DOCKERMERGED -%} +{ + "registry-mirrors": [ + "https://:5000" + ], + "bip": "172.17.0.1/24", + "default-address-pools": [ + { + "base": "172.17.0.0/24", + "size": 24 + } + ] +{%- if DOCKERMERGED.ulimits %}, + "default-ulimits": { +{%- for ULIMIT in DOCKERMERGED.ulimits %} + "{{ ULIMIT.name }}": { + "Name": "{{ ULIMIT.name }}", + "Soft": {{ ULIMIT.soft }}, + "Hard": {{ ULIMIT.hard }} + }{{ "," if not loop.last else "" }} +{%- endfor %} + } +{%- endif %} +} diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 450c88b9c..2a45794c7 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -41,11 +41,11 @@ dockeretc: file.directory: - name: /etc/docker -# Manager daemon.json +# Manager daemon.json.jinja docker_daemon: file.managed: - - source: salt://docker/files/daemon.json - - name: /etc/docker/daemon.json + - source: salt://docker/files/daemon.json.jinja + - name: /etc/docker/daemon.json.jinja - template: jinja # Make sure Docker is always running diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml index e0d7553a4..a94c3c751 100644 --- a/salt/docker/soc_docker.yaml +++ b/salt/docker/soc_docker.yaml @@ -7,6 +7,22 @@ docker: description: Default docker IP range for containers. helpLink: docker.html advanced: True + ulimits: + description: Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. + forcedType: "[]{}" + syntax: json + advanced: True + helpLink: docker.html + uiElements: + - field: name + label: Resource Name + required: True + - field: soft + label: Soft Limit + forcedType: int + - field: hard + label: Hard Limit + forcedType: int containers: so-dockerregistry: &dockerOptions final_octet: @@ -40,11 +56,21 @@ docker: multiline: True forcedType: "[]string" ulimits: - description: Ulimits for the container. + description: Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. advanced: True helpLink: docker.html - multiline: True - forcedType: "[]string" + forcedType: "[]{}" + syntax: json + uiElements: + - field: name + label: Resource Name + required: True + - field: soft + label: Soft Limit + forcedType: int + - field: hard + label: Hard Limit + forcedType: int so-elastic-fleet: *dockerOptions so-elasticsearch: *dockerOptions so-influxdb: *dockerOptions diff --git a/salt/elastalert/enabled.sls b/salt/elastalert/enabled.sls index 9e15bb744..d72c3b9c5 100644 --- a/salt/elastalert/enabled.sls +++ b/salt/elastalert/enabled.sls @@ -54,7 +54,7 @@ so-elastalert: {% if DOCKERMERGED.containers['so-elastalert'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-elastalert'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - require: diff --git a/salt/elastic-fleet-package-registry/enabled.sls b/salt/elastic-fleet-package-registry/enabled.sls index 67b47fd1b..e2833f5be 100644 --- a/salt/elastic-fleet-package-registry/enabled.sls +++ b/salt/elastic-fleet-package-registry/enabled.sls @@ -48,7 +48,7 @@ so-elastic-fleet-package-registry: {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} delete_so-elastic-fleet-package-registry_so-status.disabled: diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index 02a329a23..c366ebbf7 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -57,7 +57,7 @@ so-elastic-agent: {% if DOCKERMERGED.containers['so-elastic-agent'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-elastic-agent'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - require: diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index a23242d10..89ba1f80a 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -136,7 +136,7 @@ so-elastic-fleet: {% if DOCKERMERGED.containers['so-elastic-fleet'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index 3fe31a3c4..29ab80329 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -53,7 +53,7 @@ so-elasticsearch: {% if DOCKERMERGED.containers['so-elasticsearch'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-elasticsearch'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - port_bindings: diff --git a/salt/hydra/enabled.sls b/salt/hydra/enabled.sls index c79703000..ee6a0c811 100644 --- a/salt/hydra/enabled.sls +++ b/salt/hydra/enabled.sls @@ -55,7 +55,7 @@ so-hydra: {% if DOCKERMERGED.containers['so-hydra'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-hydra'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - restart_policy: unless-stopped diff --git a/salt/idh/enabled.sls b/salt/idh/enabled.sls index 440d9dc2e..9c0e22816 100644 --- a/salt/idh/enabled.sls +++ b/salt/idh/enabled.sls @@ -42,7 +42,7 @@ so-idh: {% if DOCKERMERGED.containers['so-idh'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-idh'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/influxdb/enabled.sls b/salt/influxdb/enabled.sls index 463064ac9..45038ece5 100644 --- a/salt/influxdb/enabled.sls +++ b/salt/influxdb/enabled.sls @@ -61,7 +61,7 @@ so-influxdb: {% if DOCKERMERGED.containers['so-influxdb'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-influxdb'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/kafka/enabled.sls b/salt/kafka/enabled.sls index f9a31510b..06fa701c6 100644 --- a/salt/kafka/enabled.sls +++ b/salt/kafka/enabled.sls @@ -63,7 +63,7 @@ so-kafka: {% if DOCKERMERGED.containers['so-kafka'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-kafka'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/kibana/enabled.sls b/salt/kibana/enabled.sls index 880f7e7b3..04f44e508 100644 --- a/salt/kibana/enabled.sls +++ b/salt/kibana/enabled.sls @@ -54,7 +54,7 @@ so-kibana: {% if DOCKERMERGED.containers['so-kibana'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-kibana'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/kratos/enabled.sls b/salt/kratos/enabled.sls index 836680401..35587a520 100644 --- a/salt/kratos/enabled.sls +++ b/salt/kratos/enabled.sls @@ -48,7 +48,7 @@ so-kratos: {% if DOCKERMERGED.containers['so-kratos'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-kratos'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - restart_policy: unless-stopped diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index f01578270..d89304144 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -99,7 +99,7 @@ so-logstash: {% if DOCKERMERGED.containers['so-logstash'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-logstash'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 8b8bba66f..2e4c9631c 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -78,7 +78,7 @@ so-nginx: {% if DOCKERMERGED.containers[container_config].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers[container_config].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - cap_add: NET_BIND_SERVICE diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls index 2db78bf24..4cea8d028 100644 --- a/salt/redis/enabled.sls +++ b/salt/redis/enabled.sls @@ -54,7 +54,7 @@ so-redis: {% if DOCKERMERGED.containers['so-redis'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-redis'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - entrypoint: "redis-server /usr/local/etc/redis/redis.conf" diff --git a/salt/registry/enabled.sls b/salt/registry/enabled.sls index 54ce80942..fc5021910 100644 --- a/salt/registry/enabled.sls +++ b/salt/registry/enabled.sls @@ -54,7 +54,7 @@ so-dockerregistry: {% if DOCKERMERGED.containers['so-dockerregistry'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-dockerregistry'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - retry: diff --git a/salt/sensoroni/enabled.sls b/salt/sensoroni/enabled.sls index 20b049e06..7790574f6 100644 --- a/salt/sensoroni/enabled.sls +++ b/salt/sensoroni/enabled.sls @@ -43,7 +43,7 @@ so-sensoroni: {% if DOCKERMERGED.containers['so-sensoroni'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-sensoroni'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index 8d2f88028..1805bacaf 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -81,7 +81,7 @@ so-soc: {% if DOCKERMERGED.containers['so-soc'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-soc'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/strelka/backend/enabled.sls b/salt/strelka/backend/enabled.sls index 59d7e8b02..ca3f0e6dc 100644 --- a/salt/strelka/backend/enabled.sls +++ b/salt/strelka/backend/enabled.sls @@ -44,7 +44,7 @@ strelka_backend: {% if DOCKERMERGED.containers['so-strelka-backend'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-strelka-backend'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - restart_policy: on-failure diff --git a/salt/strelka/coordinator/enabled.sls b/salt/strelka/coordinator/enabled.sls index 7b1485714..6756a324c 100644 --- a/salt/strelka/coordinator/enabled.sls +++ b/salt/strelka/coordinator/enabled.sls @@ -47,7 +47,7 @@ strelka_coordinator: {% if DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} delete_so-strelka-coordinator_so-status.disabled: diff --git a/salt/strelka/filestream/enabled.sls b/salt/strelka/filestream/enabled.sls index 73986cd3e..b03faf4b1 100644 --- a/salt/strelka/filestream/enabled.sls +++ b/salt/strelka/filestream/enabled.sls @@ -44,7 +44,7 @@ strelka_filestream: {% if DOCKERMERGED.containers['so-strelka-filestream'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-strelka-filestream'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/strelka/frontend/enabled.sls b/salt/strelka/frontend/enabled.sls index fae84a521..58e703898 100644 --- a/salt/strelka/frontend/enabled.sls +++ b/salt/strelka/frontend/enabled.sls @@ -49,7 +49,7 @@ strelka_frontend: {% if DOCKERMERGED.containers['so-strelka-frontend'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-strelka-frontend'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/strelka/gatekeeper/enabled.sls b/salt/strelka/gatekeeper/enabled.sls index 783926cf9..45b6e467e 100644 --- a/salt/strelka/gatekeeper/enabled.sls +++ b/salt/strelka/gatekeeper/enabled.sls @@ -47,7 +47,7 @@ strelka_gatekeeper: {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} diff --git a/salt/strelka/manager/enabled.sls b/salt/strelka/manager/enabled.sls index 029ac7085..7c73452d8 100644 --- a/salt/strelka/manager/enabled.sls +++ b/salt/strelka/manager/enabled.sls @@ -43,7 +43,7 @@ strelka_manager: {% if DOCKERMERGED.containers['so-strelka-manager'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-strelka-manager'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index b1ddc4f6e..84f172c0d 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -29,7 +29,7 @@ so-suricata: {% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKERMERGED.containers['so-suricata'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-suricata'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - binds: diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls index 851205115..fc9946149 100644 --- a/salt/telegraf/enabled.sls +++ b/salt/telegraf/enabled.sls @@ -69,7 +69,7 @@ so-telegraf: {% if DOCKERMERGED.containers['so-telegraf'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-telegraf'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/zeek/enabled.sls b/salt/zeek/enabled.sls index 8c8b755dd..ee78714c8 100644 --- a/salt/zeek/enabled.sls +++ b/salt/zeek/enabled.sls @@ -21,7 +21,7 @@ so-zeek: {% if DOCKERMERGED.containers['so-zeek'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-zeek'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - binds: