oci-defaults
settings.oci-defaults.*
).Note
These settings apply only to orchestrated containers, not to host containers.
Topic list
Setting list for settings.oci-defaults
settings.oci-defaults.capabilities.audit-control
settings.oci-defaults.capabilities.audit-read
settings.oci-defaults.capabilities.audit-write
settings.oci-defaults.capabilities.block-suspend
settings.oci-defaults.capabilities.bpf
settings.oci-defaults.capabilities.checkpoint-restore
settings.oci-defaults.capabilities.chown
settings.oci-defaults.capabilities.dac-override
settings.oci-defaults.capabilities.dac-read-search
settings.oci-defaults.capabilities.fowner
settings.oci-defaults.capabilities.fsetid
settings.oci-defaults.capabilities.ipc-lock
settings.oci-defaults.capabilities.ipc-owner
settings.oci-defaults.capabilities.kill
settings.oci-defaults.capabilities.lease
settings.oci-defaults.capabilities.linux-immutable
settings.oci-defaults.capabilities.mac-admin
settings.oci-defaults.capabilities.mac-override
settings.oci-defaults.capabilities.mknod
settings.oci-defaults.capabilities.net-bind-service
settings.oci-defaults.capabilities.net-broadcast
settings.oci-defaults.capabilities.net-raw
settings.oci-defaults.capabilities.perfmon
settings.oci-defaults.capabilities.setfcap
settings.oci-defaults.capabilities.setgid
settings.oci-defaults.capabilities.setpcap
settings.oci-defaults.capabilities.setuid
settings.oci-defaults.capabilities.sys-admin
settings.oci-defaults.capabilities.sys-boot
settings.oci-defaults.capabilities.sys-chroot
settings.oci-defaults.capabilities.sys-module
settings.oci-defaults.capabilities.sys-nice
settings.oci-defaults.capabilities.sys-pacct
settings.oci-defaults.capabilities.sys-ptrace
settings.oci-defaults.capabilities.sys-rawio
settings.oci-defaults.capabilities.sys-resource
settings.oci-defaults.capabilities.sys-time
settings.oci-defaults.capabilities.sys-tty-config
settings.oci-defaults.capabilities.syslog
settings.oci-defaults.capabilities.wake-alarm
settings.oci-defaults.resource-limits.max-address-space
settings.oci-defaults.resource-limits.max-core-file-size
settings.oci-defaults.resource-limits.max-cpu-time
settings.oci-defaults.resource-limits.max-data-size
settings.oci-defaults.resource-limits.max-file-locks
settings.oci-defaults.resource-limits.max-file-size
settings.oci-defaults.resource-limits.max-locked-memory
settings.oci-defaults.resource-limits.max-msgqueue-size
settings.oci-defaults.resource-limits.max-nice-priority
settings.oci-defaults.resource-limits.max-open-files
settings.oci-defaults.resource-limits.max-pending-signals
settings.oci-defaults.resource-limits.max-processes
settings.oci-defaults.resource-limits.max-realtime-priority
settings.oci-defaults.resource-limits.max-realtime-timeout
settings.oci-defaults.resource-limits.max-resident-set
settings.oci-defaults.resource-limits.max-stack-size
Topics
Capabilities Settings
Capabilities for the runtime process. These correspond to the objectcapabilities
in the runtime spec.Settings
settings.oci-defaults.capabilities.audit-control
settings.oci-defaults.capabilities.audit-read
settings.oci-defaults.capabilities.audit-write
settings.oci-defaults.capabilities.block-suspend
settings.oci-defaults.capabilities.bpf
settings.oci-defaults.capabilities.checkpoint-restore
settings.oci-defaults.capabilities.chown
settings.oci-defaults.capabilities.dac-override
settings.oci-defaults.capabilities.dac-read-search
settings.oci-defaults.capabilities.fowner
settings.oci-defaults.capabilities.fsetid
settings.oci-defaults.capabilities.ipc-lock
settings.oci-defaults.capabilities.ipc-owner
settings.oci-defaults.capabilities.kill
settings.oci-defaults.capabilities.lease
settings.oci-defaults.capabilities.linux-immutable
settings.oci-defaults.capabilities.mac-admin
settings.oci-defaults.capabilities.mac-override
settings.oci-defaults.capabilities.mknod
settings.oci-defaults.capabilities.net-bind-service
settings.oci-defaults.capabilities.net-broadcast
settings.oci-defaults.capabilities.net-raw
settings.oci-defaults.capabilities.perfmon
settings.oci-defaults.capabilities.setfcap
settings.oci-defaults.capabilities.setgid
settings.oci-defaults.capabilities.setpcap
settings.oci-defaults.capabilities.setuid
settings.oci-defaults.capabilities.sys-admin
settings.oci-defaults.capabilities.sys-boot
settings.oci-defaults.capabilities.sys-chroot
settings.oci-defaults.capabilities.sys-module
settings.oci-defaults.capabilities.sys-nice
settings.oci-defaults.capabilities.sys-pacct
settings.oci-defaults.capabilities.sys-ptrace
settings.oci-defaults.capabilities.sys-rawio
settings.oci-defaults.capabilities.sys-resource
settings.oci-defaults.capabilities.sys-time
settings.oci-defaults.capabilities.sys-tty-config
settings.oci-defaults.capabilities.syslog
settings.oci-defaults.capabilities.wake-alarm
Resource Limits Settings
Resource limits for the runtime process.
These correspond to the object rlimit
in the runtime spec.
Unusual among Bottlerocket settings, individual key/values will not validate. You must provide both hard-limit
and soft-limit
for any given resource limit setting at the same time.
Consequently, using dot-notation expressions to change resource limits is not possible (e.g. apiclient set settings.oci-defaults.resource-limits.max-locked-memory.hard-limit=9223372
will fail).
You can use TOML configuration format or the same structure expressed as JSON to set both keys simultaneously.
# Setting a limit
[settings.oci-defaults.resource-limits.max-core-file-size]
soft-limit = 100000000
hard-limit = 1000000000
# Removing a hard limit
[settings.oci-defaults.resource-limits.max-locked-memory]
soft-limit = 100000000
hard-limit = "unlimited"
# Setting a limit
apiclient set --json <<EOF
{
"settings": {
"oci-defaults": {
"resource-limits": {
"max-core-file-size": {
"soft-limit": 100000000,
"hard-limit": 1000000000
}
}
}
}
}
EOF
# Removing a hard limit
apiclient set --json <<EOF
{
"settings": {
"oci-defaults": {
"resource-limits": {
"max-core-file-size": {
"soft-limit": 100000000,
"hard-limit": "unlimited"
}
}
}
}
}
EOF
Settings
settings.oci-defaults.resource-limits.max-address-space
settings.oci-defaults.resource-limits.max-core-file-size
settings.oci-defaults.resource-limits.max-cpu-time
settings.oci-defaults.resource-limits.max-data-size
settings.oci-defaults.resource-limits.max-file-locks
settings.oci-defaults.resource-limits.max-file-size
settings.oci-defaults.resource-limits.max-locked-memory
settings.oci-defaults.resource-limits.max-msgqueue-size
settings.oci-defaults.resource-limits.max-nice-priority
settings.oci-defaults.resource-limits.max-open-files
settings.oci-defaults.resource-limits.max-pending-signals
settings.oci-defaults.resource-limits.max-processes
settings.oci-defaults.resource-limits.max-realtime-priority
settings.oci-defaults.resource-limits.max-realtime-timeout
settings.oci-defaults.resource-limits.max-resident-set
settings.oci-defaults.resource-limits.max-stack-size
Full Reference
settings.oci-defaults.capabilities.audit-control
Accepted values:true
false
- Capabilities Settings
CAP_AUDIT_CONTROL
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.audit-read
Accepted values:true
false
- Capabilities Settings
CAP_AUDIT_READ
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.audit-write
Default: true
true
false
- Capabilities Settings
CAP_AUDIT_WRITE
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.block-suspend
Accepted values:true
false
- Capabilities Settings
CAP_BLOCK_SUSPEND
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.bpf
Accepted values:true
false
- Capabilities Settings
CAP_BPF
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.checkpoint-restore
Accepted values:true
false
- Capabilities Settings
CAP_CHECKPOINT_RESTORE
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.chown
Default: true
true
false
- Capabilities Settings
CAP_CHOWN
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.dac-override
Default: true
true
false
- Capabilities Settings
CAP_DAC_OVERRIDE
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.dac-read-search
Accepted values:true
false
- Capabilities Settings
CAP_DAC_READ_SEARCH
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.fowner
Default: true
true
false
- Capabilities Settings
CAP_FOWNER
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.fsetid
Default: true
true
false
- Capabilities Settings
CAP_FSETID
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.ipc-lock
Accepted values:true
false
- Capabilities Settings
CAP_IPC_LOCK
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.ipc-owner
Accepted values:true
false
- Capabilities Settings
CAP_IPC_OWNER
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.kill
Default: true
true
false
- Capabilities Settings
CAP_KILL
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.lease
Accepted values:true
false
- Capabilities Settings
CAP_LEASE
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.linux-immutable
Accepted values:true
false
- Capabilities Settings
CAP_LINUX_IMMUTABLE
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.mac-admin
Accepted values:true
false
- Capabilities Settings
CAP_MAC_ADMIN
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.mac-override
Accepted values:true
false
- Capabilities Settings
CAP_MAC_OVERRIDE
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.mknod
Default: true
true
false
- Capabilities Settings
CAP_MKNOD
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.net-bind-service
Default: true
true
false
- Capabilities Settings
CAP_NET_BIND_SERVICE
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.net-broadcast
Accepted values:true
false
- Capabilities Settings
CAP_NET_BROADCAST
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.net-raw
Accepted values:true
false
- Capabilities Settings
CAP_NET_RAW
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.perfmon
Accepted values:true
false
- Capabilities Settings
CAP_PERFMON
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.setfcap
Default: true
true
false
- Capabilities Settings
CAP_SETFCAP
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.setgid
Default: true
true
false
- Capabilities Settings
CAP_SETGID
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.setpcap
Default: true
true
false
- Capabilities Settings
CAP_SETPCAP
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.setuid
Default: true
true
false
- Capabilities Settings
CAP_SETUID
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.sys-admin
Accepted values:true
false
- Capabilities Settings
CAP_SYS_ADMIN
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.sys-boot
Accepted values:true
false
- Capabilities Settings
CAP_SYS_BOOT
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.sys-chroot
Default: true
true
false
- Capabilities Settings
CAP_SYS_CHROOT
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.sys-module
Accepted values:true
false
- Capabilities Settings
CAP_SYS_MODULE
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.sys-nice
Accepted values:true
false
- Capabilities Settings
CAP_SYS_NICE
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.sys-pacct
Accepted values:true
false
- Capabilities Settings
CAP_SYS_PACCT
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.sys-ptrace
Accepted values:true
false
- Capabilities Settings
CAP_SYS_PTRACE
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.sys-rawio
Accepted values:true
false
- Capabilities Settings
CAP_SYS_RAWIO
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.sys-resource
Accepted values:true
false
- Capabilities Settings
CAP_SYS_RESOURCE
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.sys-time
Accepted values:true
false
- Capabilities Settings
- CAP_SYS_TIME`` on the Linux
capabilities
manual page
settings.oci-defaults.capabilities.sys-tty-config
Accepted values:true
false
- Capabilities Settings
CAP_SYS_TTY_CONFIG
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.syslog
Accepted values:true
false
- Capabilities Settings
CAP_SYSLOG
on the Linuxcapabilities
manual page
settings.oci-defaults.capabilities.wake-alarm
Accepted values:true
false
- Capabilities Settings
CAP_WAKE_ALARM
on the Linuxcapabilities
manual page
settings.oci-defaults.resource-limits.max-address-space
A TOML table.
Validation requires a key/value for both soft-limit
and hard-limit
.
Uses bytes as an implicit value unit.
- Setting a limit:
0
to9223372036854775807
(i.e.int64::MAX
) - Removing a limit:
-1
or"unlimited"
- Resource Limits Settings
RLIMIT_AS
on the Linuxgetrlimit
manual page
settings.oci-defaults.resource-limits.max-core-file-size
A TOML table.
Validation requires a key/value for both soft-limit
and hard-limit
.
Uses bytes as an implicit value unit.
- Setting a limit:
0
to9223372036854775807
(i.e.int64::MAX
) - Removing a limit:
-1
or"unlimited"
- Resource Limits Settings
RLIMIT_CORE
on the Linuxgetrlimit
manual page
settings.oci-defaults.resource-limits.max-cpu-time
A TOML table.
Validation requires a key/value for both soft-limit
and hard-limit
.
Uses seconds as an implicit unit.
- Setting a limit:
0
to9223372036854775807
(i.e.int64::MAX
) - Removing a limit:
-1
or"unlimited"
- Resource Limits Settings
RLIMIT_CPU
on the Linuxgetrlimit
manual page
settings.oci-defaults.resource-limits.max-data-size
A TOML table.
Validation requires a key/value for both soft-limit
and hard-limit
.
Uses bytes as an implicit value unit.
- Setting a limit:
0
to9223372036854775807
(i.e.int64::MAX
) - Removing a limit:
-1
or"unlimited"
- Resource Limits Settings
RLIMIT_DATA
on the Linuxgetrlimit
manual page
settings.oci-defaults.resource-limits.max-file-locks
A TOML table.
Validation requires a key/value for both soft-limit
and hard-limit
.
The value is unit-less, representing the number of locks.
- Setting a limit:
0
to9223372036854775807
(i.e.int64::MAX
) - Removing a limit:
-1
or"unlimited"
- Resource Limits Settings
RLIMIT_LOCKS
on the Linuxgetrlimit
manual page
settings.oci-defaults.resource-limits.max-file-size
A TOML table.
Validation requires a key/value for both soft-limit
and hard-limit
.
Uses bytes as an implicit value unit.
- Setting a limit:
0
to9223372036854775807
(i.e.int64::MAX
) - Removing a limit:
-1
or"unlimited"
- Resource Limits Settings
RLIMIT_FSIZE
on the Linuxgetrlimit
manual page
settings.oci-defaults.resource-limits.max-locked-memory
A TOML table.
Validation requires a key/value for both soft-limit
and hard-limit
.
Uses bytes as an implicit value unit.
- Setting a limit:
0
to9223372036854775807
(i.e.int64::MAX
) - Removing a limit:
-1
or"unlimited"
- Resource Limits Settings
RLIMIT_MEMLOCK
on the Linuxgetrlimit
manual page
settings.oci-defaults.resource-limits.max-msgqueue-size
A TOML table.
Validation requires a key/value for both soft-limit
and hard-limit
.
Uses bytes as an implicit value unit.
- Setting a limit:
0
to9223372036854775807
(i.e.int64::MAX
) - Removing a limit:
-1
or"unlimited"
- Resource Limits Settings
RLIMIT_MSGQUEUE
on the Linuxgetrlimit
manual page
settings.oci-defaults.resource-limits.max-nice-priority
A TOML table.
Validation requires a key/value for both soft-limit
and hard-limit
.
The value is unit-less, representing niceness.
- Setting a limit: Practical values range from
1
to40
, however the technically accepted values are0
to9223372036854775807
(i.e.int64::MAX
). - Removing a limit:
-1
or"unlimited"
- Resource Limits Settings
RLIMIT_NICE
on the Linuxgetrlimit
manual page
settings.oci-defaults.resource-limits.max-open-files
A TOML table.
Validation requires a key/value for both soft-limit
and hard-limit
.
The value is unit-less, representing the number of files.
Default: soft-limit
is 65536
and hard-limit
is 1048576
- Setting a limit:
0
to9223372036854775807
(i.e.int64::MAX
) - Removing a limit:
-1
or"unlimited"
- Resource Limits Settings
RLIMIT_NOFILE
on the Linuxgetrlimit
manual page
settings.oci-defaults.resource-limits.max-pending-signals
A TOML table.
Validation requires a key/value for both soft-limit
and hard-limit
.
The value is unit-less, representing the number of singals.
- Setting a limit:
0
to9223372036854775807
(i.e.int64::MAX
) - Removing a limit:
-1
or"unlimited"
- Resource Limits Settings
RLIMIT_SIGPENDING
on the Linuxgetrlimit
manual page
settings.oci-defaults.resource-limits.max-processes
A TOML table.
Validation requires a key/value for both soft-limit
and hard-limit
.
The value is unit-less, representing the number of procceses.
- Setting a limit:
0
to9223372036854775807
(i.e.int64::MAX
) - Removing a limit:
-1
or"unlimited"
- Resource Limits Settings
RLIMIT_NPROC
on the Linuxgetrlimit
manual page
settings.oci-defaults.resource-limits.max-realtime-priority
A TOML table.
Validation requires a key/value for both soft-limit
and hard-limit
.
The value is unit-less, representing priority.
- Setting a limit:
0
to9223372036854775807
(i.e.int64::MAX
) - Removing a limit:
-1
or"unlimited"
- Resource Limits Settings
RLIMIT_RTPRIO
on the Linuxgetrlimit
manual page
settings.oci-defaults.resource-limits.max-realtime-timeout
A TOML table.
Validation requires a key/value for both soft-limit
and hard-limit
.
Uses microseconds as an implicit value unit.
- Setting a limit:
0
to9223372036854775807
(i.e.int64::MAX
) - Removing a limit:
-1
or"unlimited"
- Resource Limits Settings
RLIMIT_RTTIME
on the Linuxgetrlimit
manual page
settings.oci-defaults.resource-limits.max-resident-set
A TOML table.
Validation requires a key/value for both soft-limit
and hard-limit
.
Uses bytes as an implicit value unit.
- Setting a limit:
0
to9223372036854775807
(i.e.int64::MAX
) - Removing a limit:
-1
or"unlimited"
- Resource Limits Settings
RLIMIT_RSS
on the Linuxgetrlimit
manual page
settings.oci-defaults.resource-limits.max-stack-size
A TOML table.
Validation requires a key/value for both soft-limit
and hard-limit
.
Uses bytes as an implicit value unit.
- Setting a limit:
0
to9223372036854775807
(i.e.int64::MAX
) - Removing a limit:
-1
or"unlimited"
- Resource Limits Settings
RLIMIT_STACK
on the Linuxgetrlimit
manual page