From c0b41292091f8d6b9e302d8f83995cc485d904da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=90=D1=80=D1=82=D1=83=D1=80?= <149331898+sou1jacker@users.noreply.github.com> Date: Sat, 14 Feb 2026 01:44:10 +0300 Subject: [PATCH 1/2] docs: add file descriptor limits for systemd and Docker (fixes #56) --- README.md | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6bf9591..3696736 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ development on it started on February 6th, and by February 10th, "big activity" If you have expertise in asynchronous network applications – we are open to ideas and pull requests! # Features -πŸ’₯ The configuration structure has changed since version 1.1.0.0, change it in your environment! +πŸ’₯ The configuration structure has changed since version 1.1.0.0. change it in your environment! βš“ Our implementation of **TLS-fronting** is one of the most deeply debugged, focused, advanced and *almost* **"behaviorally consistent to real"**: we are confident we have it right - [see evidence on our validation and traces](#recognizability-for-dpi-and-crawler) @@ -44,6 +44,7 @@ If you have expertise in asynchronous network applications – we are open to id - [Telegram Calls](#telegram-calls-via-mtproxy) - [DPI](#how-does-dpi-see-mtproxy-tls) - [Whitelist on Network Level](#whitelist-on-ip) + - [Too many open files](#too-many-open-files) - [Build](#build) - [Docker](#docker) - [Why Rust?](#why-rust) @@ -129,6 +130,7 @@ Type=simple WorkingDirectory=/bin ExecStart=/bin/telemt /etc/telemt.toml Restart=on-failure +LimitNOFILE=65536 [Install] WantedBy=multi-user.target @@ -378,6 +380,23 @@ Keep-Alive: timeout=60 - in China behind the Great Firewall - in Russia on mobile networks, less in wired networks - in Iran during "activity" +### Too many open files +- On a fresh Linux install the default open file limit is low; under load `telemt` may fail with `Accept error: Too many open files` +- **Systemd**: add `LimitNOFILE=65536` to the `[Service]` section (already included in the example above) +- **Docker**: add `--ulimit nofile=65536:65536` to your `docker run` command, or in `docker-compose.yml`: +```yaml +ulimits: + nofile: + soft: 65536 + hard: 65536 +``` +- **System-wide** (optional): add to `/etc/security/limits.conf`: +``` +* soft nofile 1048576 +* hard nofile 1048576 +root soft nofile 1048576 +root hard nofile 1048576 +``` ## Build @@ -427,12 +446,13 @@ docker run --name telemt --restart unless-stopped \ -v "$PWD/config.toml:/app/config.toml:ro" \ --read-only \ --cap-drop ALL --cap-add NET_BIND_SERVICE \ + --ulimit nofile=65536:65536 \ telemt:local ``` ## Why Rust? - Long-running reliability and idempotent behavior -- Rust’s deterministic resource management - RAII +- Rust's deterministic resource management - RAII - No garbage collector - Memory safety and reduced attack surface - Tokio's asynchronous architecture @@ -456,4 +476,4 @@ docker run --name telemt --restart unless-stopped \ - Multi-upstream Balancer and Failover - Strict FSM per handshake - Session-based Antireplay with Sliding window, non-broking reconnects -- Web Control: statistic, state of health, latency, client experience... +- Web Control: statistic, state of health, latency, client experience... \ No newline at end of file From ad553f8fbb2774991ca517732a1a12875bd4dc84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=90=D1=80=D1=82=D1=83=D1=80?= <149331898+sou1jacker@users.noreply.github.com> Date: Sat, 14 Feb 2026 01:55:33 +0300 Subject: [PATCH 2/2] docs: add ulimits to docker-compose.yml (fixes #56) --- docker-compose.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 229d80a..5a23f14 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -17,4 +17,8 @@ services: - NET_BIND_SERVICE # allow binding to port 443 read_only: true security_opt: - - no-new-privileges:true \ No newline at end of file + - no-new-privileges:true + ulimits: + nofile: + soft: 65536 + hard: 65536