File descriptor limits for systemd: merge pull request #57 from sou1jacker/main
"Too many open files" - add file descriptor limits for systemd & Docker (fixes telemt#56)
This commit is contained in:
Alexey
26
README.md
26
README.md
@@ -22,7 +22,7 @@ development on it started on February 6th, and by February 10th, "big activity"
|
|||||||
If you have expertise in asynchronous network applications – we are open to ideas and pull requests!
|
If you have expertise in asynchronous network applications – we are open to ideas and pull requests!
|
||||||
|
|
||||||
# Features
|
# Features
|
||||||
💥 The configuration structure has changed since version 1.1.0.0, change it in your environment!
|
💥 The configuration structure has changed since version 1.1.0.0. change it in your environment!
|
||||||
|
|
||||||
⚓ Our implementation of **TLS-fronting** is one of the most deeply debugged, focused, advanced and *almost* **"behaviorally consistent to real"**: we are confident we have it right - [see evidence on our validation and traces](#recognizability-for-dpi-and-crawler)
|
⚓ Our implementation of **TLS-fronting** is one of the most deeply debugged, focused, advanced and *almost* **"behaviorally consistent to real"**: we are confident we have it right - [see evidence on our validation and traces](#recognizability-for-dpi-and-crawler)
|
||||||
|
|
||||||
@@ -44,6 +44,7 @@ If you have expertise in asynchronous network applications – we are open to id
|
|||||||
- [Telegram Calls](#telegram-calls-via-mtproxy)
|
- [Telegram Calls](#telegram-calls-via-mtproxy)
|
||||||
- [DPI](#how-does-dpi-see-mtproxy-tls)
|
- [DPI](#how-does-dpi-see-mtproxy-tls)
|
||||||
- [Whitelist on Network Level](#whitelist-on-ip)
|
- [Whitelist on Network Level](#whitelist-on-ip)
|
||||||
|
- [Too many open files](#too-many-open-files)
|
||||||
- [Build](#build)
|
- [Build](#build)
|
||||||
- [Docker](#docker)
|
- [Docker](#docker)
|
||||||
- [Why Rust?](#why-rust)
|
- [Why Rust?](#why-rust)
|
||||||
@@ -129,6 +130,7 @@ Type=simple
|
|||||||
WorkingDirectory=/bin
|
WorkingDirectory=/bin
|
||||||
ExecStart=/bin/telemt /etc/telemt.toml
|
ExecStart=/bin/telemt /etc/telemt.toml
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
|
LimitNOFILE=65536
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
@@ -378,6 +380,23 @@ Keep-Alive: timeout=60
|
|||||||
- in China behind the Great Firewall
|
- in China behind the Great Firewall
|
||||||
- in Russia on mobile networks, less in wired networks
|
- in Russia on mobile networks, less in wired networks
|
||||||
- in Iran during "activity"
|
- in Iran during "activity"
|
||||||
|
### Too many open files
|
||||||
|
- On a fresh Linux install the default open file limit is low; under load `telemt` may fail with `Accept error: Too many open files`
|
||||||
|
- **Systemd**: add `LimitNOFILE=65536` to the `[Service]` section (already included in the example above)
|
||||||
|
- **Docker**: add `--ulimit nofile=65536:65536` to your `docker run` command, or in `docker-compose.yml`:
|
||||||
|
```yaml
|
||||||
|
ulimits:
|
||||||
|
nofile:
|
||||||
|
soft: 65536
|
||||||
|
hard: 65536
|
||||||
|
```
|
||||||
|
- **System-wide** (optional): add to `/etc/security/limits.conf`:
|
||||||
|
```
|
||||||
|
* soft nofile 1048576
|
||||||
|
* hard nofile 1048576
|
||||||
|
root soft nofile 1048576
|
||||||
|
root hard nofile 1048576
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Build
|
## Build
|
||||||
@@ -427,12 +446,13 @@ docker run --name telemt --restart unless-stopped \
|
|||||||
-v "$PWD/config.toml:/app/config.toml:ro" \
|
-v "$PWD/config.toml:/app/config.toml:ro" \
|
||||||
--read-only \
|
--read-only \
|
||||||
--cap-drop ALL --cap-add NET_BIND_SERVICE \
|
--cap-drop ALL --cap-add NET_BIND_SERVICE \
|
||||||
|
--ulimit nofile=65536:65536 \
|
||||||
telemt:local
|
telemt:local
|
||||||
```
|
```
|
||||||
|
|
||||||
## Why Rust?
|
## Why Rust?
|
||||||
- Long-running reliability and idempotent behavior
|
- Long-running reliability and idempotent behavior
|
||||||
- Rust’s deterministic resource management - RAII
|
- Rust's deterministic resource management - RAII
|
||||||
- No garbage collector
|
- No garbage collector
|
||||||
- Memory safety and reduced attack surface
|
- Memory safety and reduced attack surface
|
||||||
- Tokio's asynchronous architecture
|
- Tokio's asynchronous architecture
|
||||||
@@ -456,4 +476,4 @@ docker run --name telemt --restart unless-stopped \
|
|||||||
- Multi-upstream Balancer and Failover
|
- Multi-upstream Balancer and Failover
|
||||||
- Strict FSM per handshake
|
- Strict FSM per handshake
|
||||||
- Session-based Antireplay with Sliding window, non-broking reconnects
|
- Session-based Antireplay with Sliding window, non-broking reconnects
|
||||||
- Web Control: statistic, state of health, latency, client experience...
|
- Web Control: statistic, state of health, latency, client experience...
|
||||||
@@ -17,4 +17,8 @@ services:
|
|||||||
- NET_BIND_SERVICE # allow binding to port 443
|
- NET_BIND_SERVICE # allow binding to port 443
|
||||||
read_only: true
|
read_only: true
|
||||||
security_opt:
|
security_opt:
|
||||||
- no-new-privileges:true
|
- no-new-privileges:true
|
||||||
|
ulimits:
|
||||||
|
nofile:
|
||||||
|
soft: 65536
|
||||||
|
hard: 65536
|
||||||
|
|||||||
Reference in New Issue
Block a user