puppet: Increase maximum file descriptors.

The current threshold of 40k descriptors was set in 2016, chosen to be "at least 40x our current scale." At present, that only provides a 50% safety margin. Increase to 1 million to provide the same 40x buffer as previously. The highest value currently allowed by the kernels in production (linux 5.3.0) is 1048576. This is set as the hard limit. The 1 million limit is likely far above what the system can handle for other reasons (memory, cpu, etc). While this removes a potential safeguard on overload due to too many connections, due to the longpoll architecture we would generally prefer to service more connections at lower quality (due to CPU limitations) rather than randomly reject additional connections. Relevant prior commits: - 836f313e69 - f2f97dd335 - ec23996538 - 8806ec698a - e4fce10f46
2020-07-28 01:28:05 +00:00 · 2020-07-28 01:28:05 +00:00 · 1c76036c61
parent a20bb54cbb
commit 1c76036c61
3 changed files with 7 additions and 7 deletions
--- a/puppet/zulip/files/security/limits.conf
+++ b/puppet/zulip/files/security/limits.conf
@ -52,9 +52,9 @@
 #ftp             hard    nproc           0
 #ftp             -       chroot          /ftp
 #@student        -       maxlogins       4
-zulip		 soft	 nofile		 40000
-zulip		 hard	 nofile		 50000
-root		 soft	 nofile		 40000
-root		 hard	 nofile		 50000
+zulip		 soft	 nofile		1000000
+zulip		 hard	 nofile		1048576
+root		 soft	 nofile		1000000
+root		 hard	 nofile		1048576

 # End of file
--- a/puppet/zulip/templates/nginx.conf.template.erb
+++ b/puppet/zulip/templates/nginx.conf.template.erb
@ -4,9 +4,9 @@ worker_processes auto;
 pid /var/run/nginx.pid;
 include /etc/nginx/modules-enabled/*.conf;

-worker_rlimit_nofile 40000;
+worker_rlimit_nofile 1000000;
 events {
-    worker_connections 40000;
+    worker_connections 1000000;

    use epoll;

--- a/puppet/zulip/templates/supervisor/supervisord.conf.erb
+++ b/puppet/zulip/templates/supervisor/supervisord.conf.erb
@ -9,7 +9,7 @@ chown=zulip:zulip
 logfile=/var/log/supervisor/supervisord.log ; (main log file;default $CWD/supervisord.log)
 pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
 childlogdir=/var/log/supervisor            ; ('AUTO' child log dir, default $TEMP)
-minfds=40000 ; file descriptor limit for children
+minfds=1000000 ; file descriptor limit for children

 ; the below section must remain in the config file for RPC
 ; (supervisorctl/web interface) to work, additional interfaces may be