Designing a Solution to Limit Container Thread Count in a Private Cloud Platform Using cgroup pids and inotify

The 58 Cloud Platform is a private Kubernetes‑based cloud built to manage business instances within the group, offering lightweight, resource‑efficient deployment and standardized environments. While CPU, memory, and network resources are already constrained, thread‑count limits are missing, which can exhaust host PID resources.

Problem description: Unrestricted thread creation inside containers may consume all available PIDs, causing host‑level failures such as "fork: retry: Resource temporarily unavailable". Kubernetes 1.10+ with Docker 1.11 introduces a pids cgroup controller, but earlier versions lack this capability.

Problem reproduction: A Python script using multiprocessing.Process creates 50,000 processes. On a host with kernel.pid_max = 40960 , the system becomes unresponsive around 27,000 processes, and further process creation fails.

Proposed solution:

Increase kernel.pid_max to a higher value (recommended 1,048,576) to raise the global PID ceiling.

Enforce per‑container thread limits using the cgroup pids subsystem.

Monitor the pids.events file with inotify to detect when a container reaches its limit and trigger alerts.

kernel.pid_max details: The kernel allows up to 4,194,304 PIDs on 64‑bit systems. The conventional recommendation is CPU count × 1024 , but for the 58 Cloud host machines a value of 1,048,576 is suggested to accommodate workload spikes.

cgroup pids subsystem: Introduced in Linux 4.3, it provides pids.max (maximum processes/threads) and pids.current (current count). When a fork would exceed the limit, the kernel triggers pid.events , which can be observed via inotify .

inotify usage: inotify offers a lightweight API ( inotify_init , inotify_add_watch , read , etc.) to watch file changes. By adding a watch on pid.events , the platform can instantly detect when a container hits its thread ceiling and execute remediation logic.

Conclusion: Combining an increased kernel.pid_max with cgroup‑based per‑container thread limits and real‑time inotify monitoring effectively prevents host PID exhaustion and provides early warning of limit breaches, improving stability and operational visibility of the private cloud platform.