From 855f5dbded842ec8b138fdc97fcb9fc69c188d92 Mon Sep 17 00:00:00 2001 From: Philip Peterson Date: Mon, 25 May 2026 19:53:28 -0800 Subject: [PATCH] fix VNC pid exhaustion: remove bluez loop, raise machine.slice limit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit kded5 was activating org.bluez.obex in a tight loop (no BT hardware in container), spawning thousands of obexd threads until the libpod scope hit its TasksMax=9286 systemd default — causing fork failures and a 502. - vnc-desktop/Dockerfile: purge bluez/bluez-obexd and delete D-Bus service activation files so kded5 can't trigger the loop - linux.nix: machine.slice TasksMax=infinity so the libpod scope ceiling can't be hit by legitimate KDE thread counts - linux.nix: containers.conf pids_limit=0 (unlimited) to let podman pass TasksMax=infinity to new container scopes pids.current went from 9286 (exhausted) to 159 after the fix. Co-Authored-By: Claude Sonnet 4.6 --- nixos/linux.nix | 8 +++++--- nixos/vnc-desktop/Dockerfile | 6 ++++++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/nixos/linux.nix b/nixos/linux.nix index 051db92..76e5284 100644 --- a/nixos/linux.nix +++ b/nixos/linux.nix @@ -208,9 +208,11 @@ in { defaultNetwork.settings.dns_enabled = true; }; - # KDE Plasma spawns many threads; raise the default container pids limit (2048) to - # avoid "Thread creation error: Resource temporarily unavailable" in the VNC container. - virtualisation.containers.containersConf.settings.containers.pids_limit = 8192; + # KDE Plasma spawns many threads (and obexd loops without Bluetooth hardware). + # The libpod scope for each container inherits systemd's DefaultTasksMax (~9286); + # raise machine.slice to infinity so podman scopes aren't capped. + systemd.slices.machine.sliceConfig.TasksMax = "infinity"; + virtualisation.containers.containersConf.settings.containers.pids_limit = 0; virtualisation.oci-containers = { backend = "podman"; diff --git a/nixos/vnc-desktop/Dockerfile b/nixos/vnc-desktop/Dockerfile index 380ae2e..bdd9b5a 100644 --- a/nixos/vnc-desktop/Dockerfile +++ b/nixos/vnc-desktop/Dockerfile @@ -15,6 +15,12 @@ RUN apt-get update && apt-get install -y \ openssh-client \ && rm -rf /var/lib/apt/lists/* +# Remove Bluetooth stack — obexd gets activated in a tight loop by kded5 +# inside the container (no BT hardware), which exhausts the process limit. +RUN apt-get purge -y --auto-remove bluez bluez-obexd 2>/dev/null || true; \ + rm -f /usr/share/dbus-1/services/org.bluez.obex.service \ + /usr/share/dbus-1/system-services/org.bluez.service + COPY start.sh /start.sh RUN chmod +x /start.sh