There is a number of kernel limits that should be set for the OpenVZ software to work correctly. OpenVZ is shipped with a tuned /etc/sysctl.conf file. Understanding what parameters were changed is essential for running the required number of containers. Below is the contents of the /etc/sysctl.conf file as shipped with OpenVZ:
# Controls IP packet forwarding net.ipv4.ip_forward = 1 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 1 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 # Controls the use of TCP syncookies net.ipv4.tcp_syncookies = 1 # Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-arptables = 0 # Controls the default maxmimum size of a mesage queue kernel.msgmnb = 65536 # Controls the maximum size of a message, in bytes kernel.msgmax = 65536 # Controls the maximum shared segment size, in bytes kernel.shmmax = 68719476736 # Controls the maximum number of shared memory segments, in pages kernel.shmall = 4294967296 net.ipv6.conf.all.proxy_ndp=1 net.ipv4.conf.default.proxy_arp = 0 net.ipv4.conf.all.rp_filter = 0 fs.super-max = 2560 fs.file-max = 262144 kernel.fairsched-nodes-max = 1538 net.ipv4.neigh.default.gc_thresh2 = 2048 net.ipv4.neigh.default.gc_thresh3 = 4096 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv6.neigh.default.gc_thresh2 = 2048 net.ipv6.neigh.default.gc_thresh3 = 4096 net.nf_conntrack_max = 500000 fs.aio-max-nr = 1048576
Notice that some parameters of the kernel configuration depends on the maximum number of containers you plan to run. In the default configuration file, these numbers were calculated under the assumption the maximum container number is 512. If you plan to run another number of containers, it is recommended to recalculate net.ipv4.neigh.default.gc_thresh2 and net.ipv4.neigh.default.gc_thresh3 parameters as three per container plus 128…512. Keep the second parameter twice as great as the first one.
To apply the changes issue the following command:
# sysctl -p
Besides, it makes sense to set net.ipv4.tcp_use_sg to 0, since the corresponding "Scatter/gather IO" feature is not supported by the venet device, used in OpenVZ networking.
It is also worth mentioning that normally you should have forwarding turned on since the server forwards packets destined to or originated from containers.
