Set default ulimits on CRIO Using machine config

Solution Verified - Updated 15 Aug 2025

Environment

Red Hat OpenShift Container Platform (RHOCP)
- 4

Issue

Set default ulimits on CRIO Using machine config

Resolution

For Openshift 4.8+ set the pid limits by editing the This page is not included, but the link has been rewritten to point to the nearest parent document.ContainerRuntimeConfig CR

For earlier versions of OpenShift a custom MachineConfig is needed.

Generate a base64-encoded string from required configuration. Follow below command to do that. Other limits required can be added in same format. -1 represents unlimited in below configuration.
```
 $ cat << EOF | base64 -w0
 [crio.runtime]
 default_ulimits = [
 "nproc=16348:-1",
 "stack=1600000:-1"
 ]
 EOF

_**Note:** Ulimits to apply to containers by default (name=soft:hard)_
```

Below is the sample Machine Config file. Update the encrypted string obtained from above command in field .spec.config.storage.files[0].contents.source after base64, and save it to a file mc.yaml.

 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 metadata:
   annotations:
   labels:
     machineconfiguration.openshift.io/role: worker
   name: 02-worker-container-runtime
 spec:
   config:
     ignition:
       version: 3.1.0
     storage:
       files:
       - contents:
           source: data:text/plain;charset=utf-8;base64,W2NyaW8ucnVudGltZV0KZGVmYXVsdF91bGltaXRzID0gWwoibnByb2M9MTYzNDg6LTEiLAoic3RhY2s9MTYwMDAwMDotMSIKXQo=
         mode: 420
         overwrite: true
         path: /etc/crio/crio.conf.d/10-custom

Create machineConfig using file mc.yaml.

mc.yaml will be applied only on worker nodes. If you want apply it on any other nodes please update labels section with appropriate role.
$ oc create -f mc.yaml

Verify if machine configuration has been created and also check if latest rendered configuration is created using below command.

Any changes/addition in machine configuration new rendered machine configuration will be created respective to mcp.

$ oc get mc

Once the rendered MC is in place. MCP will be rolled out and new changes will be applied. Note: that this step might reboot your nodes as per your MCP configuration. Check MCP status with below command.

$ oc get mcp

Once all the nodes are ready verify and make sure all your MCP has all nodes in ready state with below command. Below is the sample output.

 $ oc get mcp
 NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
 master   rendered-master-bf6053142c86e8c0aa8894cb0edfb73f   True      False      False      3              3                   3                     0                      7d5h
 worker   rendered-worker-61cf53af2ff22a150cc575639285b849   True      False      False      3              3                   3                     0                      7d5h

Check if new changes are applied with below command. Run below command to check if the config has been applied to your node:
```
 $ oc debug node/<nodename> -- chroot /host crio-status config | grep default_ulimits
```
Nodes might not come in to Ready state if your stack soft limit is too less. Try to use a value suits your needs.

SBR

Shift

Product(s)

Red Hat OpenShift Container Platform

Components

cri-o
oc

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.