Changing CRI-O container settings

To ensure that some services can run correctly, you might need to change the pids_limit setting for the CRI-O container runtime on the OpenShift® Container Platform.
Installation phase
You are not here. Setting up a client workstation
You are not here. Collecting required information
You are here icon. Preparing your cluster
You are not here. Installing the Cloud Pak for Data platform and services
Who needs to complete this task?
A cluster administrator must complete this task.
When do you need to complete this task?
When you plan to install certain services, you must change node settings to configure your cluster so those services run properly.

Before you begin

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

About this task

Whether you need to change pids_limit value and how you change it depend on your environment. If you plan to install one or more of the following services, you might need to adjust the pids_limit:
  • Cognos® Analytics
  • Db2®
  • Db2 Big SQL
  • Db2 Warehouse
  • Watson™ Discovery
  • Watson Knowledge Catalog
  • Watson Query
  • Watson Studio
  • Watson Machine Learning Accelerator

Procedure

Complete the appropriate task for your environment, as specified in the following table:

Deployment environment Managed Self-managed
On-premises If you install Cloud Pak for Data on IBM® Cloud Satellite, the CRI-O container settings are automatically applied to your cluster as part of the installation. You do not need to change the CRI-O settings.
OpenShift Version 4.8 and Version 4.10
See Setting the pids_limit by using the cpd-cli manage apply-crio command.
OpenShift Version 4.12
See Setting the process IDs limit by creating a KubeletConfig.
IBM Cloud If you install Cloud Pak for Data on IBM Cloud, the CRI-O container settings are automatically applied to your cluster as part of the installation. You do not need to change the CRI-O settings. If you install Cloud Pak for Data on IBM Cloud, the CRI-O container settings are automatically applied to your cluster as part of the installation. You do not need to change the CRI-O settings.
AWS
OpenShift Version 4.8 and Version 4.10
See Setting the pids_limit by using the cpd-cli manage apply-crio command.
OpenShift Version 4.12
See Setting the process IDs limit by creating a KubeletConfig.
Important: To change this setting on Red Hat® OpenShift Service on AWS (ROSA) you might need a Support Exception from Red Hat. For more information, see https://access.redhat.com/solutions/6986931 on the Red Hat Customer Portal.
OpenShift Version 4.8 and Version 4.10
See Setting the pids_limit by using the cpd-cli manage apply-crio command.
OpenShift Version 4.12
See Setting the process IDs limit by creating a KubeletConfig.
Microsoft Azure
OpenShift Version 4.8 and Version 4.10
See Setting the process IDs limit by creating a ContainerRuntimeConfig.
OpenShift Version 4.12
See Setting the process IDs limit by creating a KubeletConfig.
Important: To change this setting on Azure Red Hat OpenShift (ARO) you must have a Support Exception from Red Hat. For more information, see https://access.redhat.com/solutions/6986931 on the Red Hat Customer Portal.
OpenShift Version 4.8 and Version 4.10
See Setting the process IDs limit by creating a ContainerRuntimeConfig.
OpenShift Version 4.12
See Setting the process IDs limit by creating a KubeletConfig.
Google Cloud Not applicable
OpenShift Version 4.8 and Version 4.10
See Setting the pids_limit by using the cpd-cli manage apply-crio command.
OpenShift Version 4.12
See Setting the process IDs limit by creating a KubeletConfig.

Setting the pids_limit by using the cpd-cli manage apply-crio command

Run the cpd-cli manage apply-crio command to apply the Container Runtime Interface (CRI-O) settings to your cluster nodes.

Restriction: This command applies only to Red Hat OpenShift Container Platform Version 4.8 and 4.10. If you are running Version 4.12, see Setting the process IDs limit by creating a KubeletConfig.
Important: This command performs a rolling restart of the worker nodes on the cluster.

When you run cpd-cli manage apply-crio command, the pids_limit is set to 16384.

To set the CRI-O pids_limit to 16384 by using the cpd-cli manage apply-crio command, complete the following steps:

  1. Run the cpd-cli manage login-to-ocp command to log in to the cluster as a user with sufficient permissions to complete this task. For example:
    cpd-cli manage login-to-ocp \
    --username=${OCP_USERNAME} \
    --password=${OCP_PASSWORD} \
    --server=${OCP_URL}
  2. Run the following command to apply the CRI-O settings:
    cpd-cli manage apply-crio \
      --openshift_type=${OPENSHIFT_TYPE}


Setting the process IDs limit by creating a KubeletConfig

In Red Hat OpenShift Container Platform Version 4.12, the process IDs limit is set in a kubeletConfig.

  1. Log in to Red Hat OpenShift Container Platform as a user with sufficient permissions to complete the task:
    oc login ${OCP_URL}
  2. Run the following command to create the KubeletConfig that defines the podPidsLimit:
    oc apply -f - << EOF
    apiVersion: machineconfiguration.openshift.io/v1
    kind: KubeletConfig
    metadata:
      name: cpd-pidslimit-kubeletconfig 
    spec:
      kubeletConfig: 
        podPidsLimit: 16384
      machineConfigPoolSelector:
        matchExpressions:
        - key: pools.operator.machineconfiguration.openshift.io/worker
          operator: Exists 
    EOF


Setting the process IDs limit by creating a ContainerRuntimeConfig

To set the pids_limit value to 16384 in Microsoft Azure managed and self-managed environments on OpenShift Version 4.8 and Version 4.10, complete the following steps:

  1. Create a ContainerRuntimeConfig file with the following contents:
    apiVersion: machineconfiguration.openshift.io/v1
    kind: ContainerRuntimeConfig
    metadata:
      name: new-large-pidlimit
    spec:
      containerRuntimeConfig:
        pidsLimit: 16384
      machineConfigPoolSelector:
        matchExpressions:
        - key: pools.operator.machineconfiguration.openshift.io/worker
          operator: Exists
    EOF
    
  2. Run the following command to apply the config file:
    oc create -f <ContainerRuntimeConfig file name>
  3. Run one of the following commands to verify the settings:
    • oc debug <workernode>
      chroot /host
      crio-status config | grep pids_limit
      
    • oc get no -o name | grep compute | awk '{system("oc debug " $1 " -- bash -lc \"chroot /host sudo crio-status config | grep pids_limit\" ")}'