kubernetes-sigs · drew-viles · May 10, 2026
diff --git a/docs/book/src/capi/containerd/customizing-containerd.md b/docs/book/src/capi/containerd/customizing-containerd.md
@@ -84,3 +84,11 @@ You can also add further configuration by adding values for `containerd_addition
 end of the
 [`config.toml`](https://github.com/kubernetes-sigs/image-builder/blob/main/images/capi/ansible/roles/containerd/templates/etc/containerd/config.toml#L86)
 default template. 
+
+## Overriding `LimitNOFILE`
+
+By default a `LimitNOFILE` systemd drop-in (capping the value at `1048576`) is only deployed on
+Common Base Linux Mariner, Flatcar, and Microsoft Azure Linux, where the upstream `infinity` value
+has been known to cause issues with some containerized software. To opt-in to deploying the same
+drop-in on other operating systems, set `containerd_enable_limit_no_file` to `true`. It defaults to
+`false`.
diff --git a/images/capi/ansible/roles/containerd/defaults/main.yml b/images/capi/ansible/roles/containerd/defaults/main.yml
@@ -13,6 +13,7 @@
 # limitations under the License.
 ---
 containerd_config_file: etc/containerd/config.toml
+containerd_enable_limit_no_file: false
 containerd_gvisor_runtime: false
 containerd_gvisor_version: latest
 containerd_baseurl: https://github.com/containerd/containerd/releases/download/v{{ containerd_version }}

diff --git a/images/capi/ansible/roles/containerd/tasks/main.yml b/images/capi/ansible/roles/containerd/tasks/main.yml
@@ -157,7 +157,7 @@
     dest: /etc/systemd/system/containerd.service.d/limit-nofile.conf
     src: etc/systemd/system/containerd.service.d/limit-nofile.conf
     mode: "0644"
-  when: ansible_facts['os_family'] in ["Common Base Linux Mariner", "Flatcar", "Microsoft Azure Linux"]
+  when: ansible_facts['os_family'] in ["Common Base Linux Mariner", "Flatcar", "Microsoft Azure Linux"] or containerd_enable_limit_no_file | bool
 
 - name: Create containerd http proxy conf file if needed
   ansible.builtin.template:

diff --git a/images/capi/packer/ami/packer.json b/images/capi/packer/ami/packer.json
@@ -71,6 +71,7 @@
   "post-processors": [
     {
       "custom_data": {
+        "containerd_enable_limit_no_file": "{{user `containerd_enable_limit_no_file`}}",
         "containerd_gvisor_runtime": "{{user `containerd_gvisor_runtime`}}",
         "containerd_gvisor_version": "{{user `containerd_gvisor_version`}}",
         "containerd_version": "{{user `containerd_version`}}",
@@ -129,6 +130,7 @@
         "OS": "{{user `distribution` | lower}}",
         "OS_VERSION": "{{user `distribution_version` | lower}}",
         "PROVIDER": "amazon",
+        "containerd_enable_limit_no_file": "{{user `containerd_enable_limit_no_file`}}",
         "containerd_gvisor_runtime": "{{user `containerd_gvisor_runtime`}}",
         "containerd_gvisor_version": "{{user `containerd_gvisor_version`}}",
         "containerd_image_pull_progress_timeout": "{{user `containerd_image_pull_progress_timeout`}}",
@@ -163,6 +165,7 @@
     "aws_session_token": "",
     "build_timestamp": "{{timestamp}}",
     "builder_instance_type": "t3.small",
+    "containerd_enable_limit_no_file": "false",
     "containerd_gvisor_runtime": "false",
     "containerd_gvisor_version": "latest",
     "containerd_image_pull_progress_timeout": null,

diff --git a/images/capi/packer/azure/packer.json b/images/capi/packer/azure/packer.json
@@ -104,6 +104,7 @@
         "build_name": "{{user `build_name`}}",
         "build_timestamp": "{{user `build_timestamp`}}",
         "build_type": "node",
+        "containerd_enable_limit_no_file": "{{user `containerd_enable_limit_no_file`}}",
         "containerd_gvisor_runtime": "{{user `containerd_gvisor_runtime`}}",
         "containerd_gvisor_version": "{{user `containerd_gvisor_version`}}",
         "containerd_version": "{{user `containerd_version`}}",
@@ -178,6 +179,7 @@
         "OS": "{{user `distribution` | lower}}",
         "OS_VERSION": "{{user `distribution_version` | lower}}",
         "PROVIDER": "azure",
+        "containerd_enable_limit_no_file": "{{user `containerd_enable_limit_no_file`}}",
         "containerd_gvisor_runtime": "{{user `containerd_gvisor_runtime`}}",
         "containerd_gvisor_version": "{{user `containerd_gvisor_version`}}",
         "containerd_image_pull_progress_timeout": "{{user `containerd_image_pull_progress_timeout`}}",
@@ -220,6 +222,7 @@
     "client_secret": null,
     "cloud_environment_name": "public",
     "community_gallery_image_id": "",
+    "containerd_enable_limit_no_file": "false",
     "containerd_gvisor_runtime": "false",
     "containerd_gvisor_version": "latest",
     "containerd_image_pull_progress_timeout": null,

diff --git a/images/capi/packer/config/ansible-args.json b/images/capi/packer/config/ansible-args.json
@@ -1,5 +1,5 @@
 {
   "ansible_common_ssh_args": "-o IdentitiesOnly=yes",
-  "ansible_common_vars": "containerd_gvisor_runtime={{user `containerd_gvisor_runtime`}} containerd_gvisor_version={{user `containerd_gvisor_version`}} containerd_sha256={{user `containerd_sha256`}} pause_image={{user `pause_image`}} containerd_additional_settings={{user `containerd_additional_settings`}} containerd_cri_socket={{user `containerd_cri_socket`}} containerd_version={{user `containerd_version`}} containerd_image_pull_progress_timeout={{user `containerd_image_pull_progress_timeout`}} containerd_wasm_shims_url={{user `containerd_wasm_shims_url`}} containerd_wasm_shims_version={{user `containerd_wasm_shims_version`}} containerd_wasm_shims_sha256={{user `containerd_wasm_shims_sha256`}} containerd_wasm_shims_runtimes=\"{{user `containerd_wasm_shims_runtimes`}}\" containerd_wasm_shims_runtime_versions=\"{{user `containerd_wasm_shims_runtime_versions`}}\" crictl_version={{user `crictl_version`}} custom_role_names=\"{{user `custom_role_names`}}\" firstboot_custom_roles_pre=\"{{user `firstboot_custom_roles_pre`}}\" firstboot_custom_roles_post=\"{{user `firstboot_custom_roles_post`}}\" node_custom_roles_pre=\"{{user `node_custom_roles_pre`}}\" node_custom_roles_post=\"{{user `node_custom_roles_post`}}\" node_custom_roles_post_sysprep=\"{{user `node_custom_roles_post_sysprep`}}\" disable_public_repos={{user `disable_public_repos`}} extra_debs=\"{{user `extra_debs`}}\" extra_kernel_boot_params=\"{{user `extra_kernel_boot_params`}}\" extra_repos=\"{{user `extra_repos`}}\" extra_rpms=\"{{user `extra_rpms`}}\" http_proxy={{user `http_proxy`}} https_proxy={{user `https_proxy`}} kubeadm_template={{user `kubeadm_template`}} kubernetes_apiserver_port={{user `kubernetes_apiserver_port`}} kubernetes_cni_http_source={{user `kubernetes_cni_http_source`}} kubernetes_http_source={{user `kubernetes_http_source`}} kubernetes_container_registry={{user `kubernetes_container_registry`}} kubernetes_rpm_repo={{user `kubernetes_rpm_repo`}} kubernetes_rpm_gpg_key={{user `kubernetes_rpm_gpg_key`}} kubernetes_rpm_gpg_check={{user `kubernetes_rpm_gpg_check`}} kubernetes_deb_repo={{user `kubernetes_deb_repo`}} kubernetes_deb_gpg_key={{user `kubernetes_deb_gpg_key`}} kubernetes_cni_deb_version={{user `kubernetes_cni_deb_version`}} kubernetes_cni_rpm_version={{user `kubernetes_cni_rpm_version`}} kubernetes_cni_semver={{user `kubernetes_cni_semver`}} kubernetes_cni_source_type={{user `kubernetes_cni_source_type`}} kubernetes_semver={{user `kubernetes_semver`}} kubernetes_source_type={{user `kubernetes_source_type`}} kubernetes_load_additional_imgs={{user `kubernetes_load_additional_imgs`}} kubernetes_deb_version={{user `kubernetes_deb_version`}} kubernetes_rpm_version={{user `kubernetes_rpm_version`}} no_proxy={{user `no_proxy`}} pip_conf_file={{user `pip_conf_file`}} python_path={{user `python_path`}} redhat_epel_rpm={{user `redhat_epel_rpm`}} epel_rpm_gpg_key={{user `epel_rpm_gpg_key`}} reenable_public_repos={{user `reenable_public_repos`}} remove_extra_repos={{user `remove_extra_repos`}} systemd_prefix={{user `systemd_prefix`}} sysusr_prefix={{user `sysusr_prefix`}} sysusrlocal_prefix={{user `sysusrlocal_prefix`}} load_additional_components={{ user `load_additional_components`}} additional_registry_images={{ user `additional_registry_images`}} additional_registry_images_list={{ user `additional_registry_images_list`}} ecr_credential_provider={{ user `ecr_credential_provider` }} additional_url_images={{ user `additional_url_images`}} additional_url_images_list={{ user `additional_url_images_list`}} additional_executables={{ user `additional_executables`}} additional_executables_list={{ user `additional_executables_list`}} additional_executables_destination_path={{ user `additional_executables_destination_path`}} additional_s3={{ user `additional_s3`}} build_target={{ user `build_target`}} amazon_ssm_agent_rpm={{ user `amazon_ssm_agent_rpm` }} enable_containerd_audit={{ user `enable_containerd_audit` }} kubernetes_enable_automatic_resource_sizing={{ user `kubernetes_enable_automatic_resource_sizing` }} debug_tools={{user `debug_tools`}} ubuntu_repo={{user `ubuntu_repo`}} ubuntu_security_repo={{user `ubuntu_security_repo`}} gpu_block_nouveau_loading={{user `block_nouveau_loading`}} runc_version={{user `runc_version`}} containerd_service_url={{user `containerd_service_url`}} netplan_removal_excludes=\"{{user `netplan_removal_excludes`}}\"",
+  "ansible_common_vars": "containerd_gvisor_runtime={{user `containerd_gvisor_runtime`}} containerd_gvisor_version={{user `containerd_gvisor_version`}} containerd_sha256={{user `containerd_sha256`}} pause_image={{user `pause_image`}} containerd_additional_settings={{user `containerd_additional_settings`}} containerd_cri_socket={{user `containerd_cri_socket`}} containerd_version={{user `containerd_version`}} containerd_image_pull_progress_timeout={{user `containerd_image_pull_progress_timeout`}} containerd_enable_limit_no_file={{user `containerd_enable_limit_no_file`}} containerd_wasm_shims_url={{user `containerd_wasm_shims_url`}} containerd_wasm_shims_version={{user `containerd_wasm_shims_version`}} containerd_wasm_shims_sha256={{user `containerd_wasm_shims_sha256`}} containerd_wasm_shims_runtimes=\"{{user `containerd_wasm_shims_runtimes`}}\" containerd_wasm_shims_runtime_versions=\"{{user `containerd_wasm_shims_runtime_versions`}}\" crictl_version={{user `crictl_version`}} custom_role_names=\"{{user `custom_role_names`}}\" firstboot_custom_roles_pre=\"{{user `firstboot_custom_roles_pre`}}\" firstboot_custom_roles_post=\"{{user `firstboot_custom_roles_post`}}\" node_custom_roles_pre=\"{{user `node_custom_roles_pre`}}\" node_custom_roles_post=\"{{user `node_custom_roles_post`}}\" node_custom_roles_post_sysprep=\"{{user `node_custom_roles_post_sysprep`}}\" disable_public_repos={{user `disable_public_repos`}} extra_debs=\"{{user `extra_debs`}}\" extra_kernel_boot_params=\"{{user `extra_kernel_boot_params`}}\" extra_repos=\"{{user `extra_repos`}}\" extra_rpms=\"{{user `extra_rpms`}}\" http_proxy={{user `http_proxy`}} https_proxy={{user `https_proxy`}} kubeadm_template={{user `kubeadm_template`}} kubernetes_apiserver_port={{user `kubernetes_apiserver_port`}} kubernetes_cni_http_source={{user `kubernetes_cni_http_source`}} kubernetes_http_source={{user `kubernetes_http_source`}} kubernetes_container_registry={{user `kubernetes_container_registry`}} kubernetes_rpm_repo={{user `kubernetes_rpm_repo`}} kubernetes_rpm_gpg_key={{user `kubernetes_rpm_gpg_key`}} kubernetes_rpm_gpg_check={{user `kubernetes_rpm_gpg_check`}} kubernetes_deb_repo={{user `kubernetes_deb_repo`}} kubernetes_deb_gpg_key={{user `kubernetes_deb_gpg_key`}} kubernetes_cni_deb_version={{user `kubernetes_cni_deb_version`}} kubernetes_cni_rpm_version={{user `kubernetes_cni_rpm_version`}} kubernetes_cni_semver={{user `kubernetes_cni_semver`}} kubernetes_cni_source_type={{user `kubernetes_cni_source_type`}} kubernetes_semver={{user `kubernetes_semver`}} kubernetes_source_type={{user `kubernetes_source_type`}} kubernetes_load_additional_imgs={{user `kubernetes_load_additional_imgs`}} kubernetes_deb_version={{user `kubernetes_deb_version`}} kubernetes_rpm_version={{user `kubernetes_rpm_version`}} no_proxy={{user `no_proxy`}} pip_conf_file={{user `pip_conf_file`}} python_path={{user `python_path`}} redhat_epel_rpm={{user `redhat_epel_rpm`}} epel_rpm_gpg_key={{user `epel_rpm_gpg_key`}} reenable_public_repos={{user `reenable_public_repos`}} remove_extra_repos={{user `remove_extra_repos`}} systemd_prefix={{user `systemd_prefix`}} sysusr_prefix={{user `sysusr_prefix`}} sysusrlocal_prefix={{user `sysusrlocal_prefix`}} load_additional_components={{ user `load_additional_components`}} additional_registry_images={{ user `additional_registry_images`}} additional_registry_images_list={{ user `additional_registry_images_list`}} ecr_credential_provider={{ user `ecr_credential_provider` }} additional_url_images={{ user `additional_url_images`}} additional_url_images_list={{ user `additional_url_images_list`}} additional_executables={{ user `additional_executables`}} additional_executables_list={{ user `additional_executables_list`}} additional_executables_destination_path={{ user `additional_executables_destination_path`}} additional_s3={{ user `additional_s3`}} build_target={{ user `build_target`}} amazon_ssm_agent_rpm={{ user `amazon_ssm_agent_rpm` }} enable_containerd_audit={{ user `enable_containerd_audit` }} kubernetes_enable_automatic_resource_sizing={{ user `kubernetes_enable_automatic_resource_sizing` }} debug_tools={{user `debug_tools`}} ubuntu_repo={{user `ubuntu_repo`}} ubuntu_security_repo={{user `ubuntu_security_repo`}} gpu_block_nouveau_loading={{user `block_nouveau_loading`}} runc_version={{user `runc_version`}} containerd_service_url={{user `containerd_service_url`}} netplan_removal_excludes=\"{{user `netplan_removal_excludes`}}\"",
   "ansible_scp_extra_args": "{{env `ANSIBLE_SCP_EXTRA_ARGS`}}"
 }
diff --git a/images/capi/packer/config/containerd.json b/images/capi/packer/config/containerd.json
@@ -1,6 +1,7 @@
 {
   "containerd_additional_settings": null,
   "containerd_cri_socket": "/var/run/containerd/containerd.sock",
+  "containerd_enable_limit_no_file": "false",
   "containerd_gvisor_runtime": "false",
   "containerd_gvisor_version": "latest",
   "containerd_image_pull_progress_timeout": null,

diff --git a/images/capi/packer/digitalocean/packer.json b/images/capi/packer/digitalocean/packer.json
@@ -43,6 +43,7 @@
     "ansible_extra_vars": "",
     "ansible_scp_extra_args": "",
     "build_timestamp": "{{timestamp}}",
+    "containerd_enable_limit_no_file": "false",
     "containerd_gvisor_runtime": "false",
     "containerd_gvisor_version": "latest",
     "containerd_image_pull_progress_timeout": null,

diff --git a/images/capi/packer/gce/packer.json b/images/capi/packer/gce/packer.json
@@ -65,6 +65,7 @@
         "OS": "{{user `distribution` | lower}}",
         "OS_VERSION": "{{user `distribution_version` | lower}}",
         "PROVIDER": "gcp",
+        "containerd_enable_limit_no_file": "{{user `containerd_enable_limit_no_file`}}",
         "containerd_gvisor_runtime": "{{user `containerd_gvisor_runtime`}}",
         "containerd_gvisor_version": "{{user `containerd_gvisor_version`}}",
         "containerd_image_pull_progress_timeout": "{{user `containerd_image_pull_progress_timeout`}}",
@@ -86,6 +87,7 @@
     "ansible_extra_vars": "",
     "ansible_scp_extra_args": "",
     "build_timestamp": "{{timestamp}}",
+    "containerd_enable_limit_no_file": "false",
     "containerd_gvisor_runtime": "false",
     "containerd_gvisor_version": "latest",
     "containerd_image_pull_progress_timeout": null,

diff --git a/images/capi/packer/goss/goss-files.yaml b/images/capi/packer/goss/goss-files.yaml
@@ -32,3 +32,10 @@ file:
     contains:
       - {{ .Vars.extra_kernel_boot_params }}
 {{end}}
+{{if eq .Vars.containerd_enable_limit_no_file "true"}}
+  "/etc/systemd/system/containerd.service.d/limit-nofile.conf":
+    exists: true
+    filetype: file
+    contains:
+      - "LimitNOFILE=1048576"
+{{end}}
diff --git a/images/capi/packer/goss/goss-vars.yaml b/images/capi/packer/goss/goss-vars.yaml
@@ -89,6 +89,7 @@ photon_5_rpms: &photon_5_rpms
   logrotate:
 
 arch: "amd64"
+containerd_enable_limit_no_file: ""
 containerd_gvisor_runtime: ""
 containerd_gvisor_version: ""
 containerd_image_pull_progress_timeout: ""

diff --git a/images/capi/packer/hcloud/packer.json b/images/capi/packer/hcloud/packer.json
@@ -28,6 +28,7 @@
         "build_name": "{{user `build_name`}}",
         "build_timestamp": "{{user `build_timestamp`}}",
         "build_type": "node",
+        "containerd_enable_limit_no_file": "{{user `containerd_enable_limit_no_file`}}",
         "containerd_gvisor_runtime": "{{user `containerd_gvisor_runtime`}}",
         "containerd_gvisor_version": "{{user `containerd_gvisor_version`}}",
         "containerd_version": "{{user `containerd_version`}}",
@@ -102,6 +103,7 @@
         "OS": "{{user `distribution` | lower}}",
         "OS_VERSION": "{{user `distribution_version` | lower}}",
         "PROVIDER": "hcloud",
+        "containerd_enable_limit_no_file": "{{user `containerd_enable_limit_no_file`}}",
         "containerd_gvisor_runtime": "{{user `containerd_gvisor_runtime`}}",
         "containerd_gvisor_version": "{{user `containerd_gvisor_version`}}",
         "containerd_image_pull_progress_timeout": "{{user `containerd_image_pull_progress_timeout`}}",
@@ -126,6 +128,7 @@
     "ansible_user_vars": "",
     "build_name": null,
     "build_timestamp": "{{timestamp}}",
+    "containerd_enable_limit_no_file": "false",
     "containerd_gvisor_runtime": "false",
     "containerd_gvisor_version": "latest",
     "containerd_image_pull_progress_timeout": null,

diff --git a/images/capi/packer/huaweicloud/packer.json b/images/capi/packer/huaweicloud/packer.json
@@ -49,6 +49,7 @@
   "post-processors": [
     {
       "custom_data": {
+        "containerd_enable_limit_no_file": "{{user `containerd_enable_limit_no_file`}}",
         "containerd_gvisor_runtime": "{{user `containerd_gvisor_runtime`}}",
         "containerd_gvisor_version": "{{user `containerd_gvisor_version`}}",
         "containerd_version": "{{user `containerd_version`}}",
@@ -99,6 +100,7 @@
         "OS": "{{user `distribution` | lower}}",
         "OS_VERSION": "{{user `distribution_version` | lower}}",
         "PROVIDER": "huaweicloud",
+        "containerd_enable_limit_no_file": "{{user `containerd_enable_limit_no_file`}}",
         "containerd_gvisor_runtime": "{{user `containerd_gvisor_runtime`}}",
         "containerd_gvisor_version": "{{user `containerd_gvisor_version`}}",
         "containerd_image_pull_progress_timeout": "{{user `containerd_image_pull_progress_timeout`}}",
@@ -124,6 +126,7 @@
     "associate_public_ip_address": "true",
     "availability_zone": "ap-southeast-1g",
     "build_timestamp": "{{timestamp}}",
+    "containerd_enable_limit_no_file": "false",
     "containerd_gvisor_runtime": "false",
     "containerd_gvisor_version": "latest",
     "containerd_image_pull_progress_timeout": null,

diff --git a/images/capi/packer/nutanix/packer.json.tmpl b/images/capi/packer/nutanix/packer.json.tmpl
@@ -95,6 +95,7 @@
         "OS": "{{user `distro_name` | lower}}",
         "OS_VERSION": "{{user `distribution_version` | lower}}",
         "PROVIDER": "nutanix",
+        "containerd_enable_limit_no_file": "{{user `containerd_enable_limit_no_file`}}",
         "containerd_gvisor_runtime": "{{user `containerd_gvisor_runtime`}}",
         "containerd_gvisor_version": "{{user `containerd_gvisor_version`}}",
         "containerd_image_pull_progress_timeout": "{{user `containerd_image_pull_progress_timeout`}}",
@@ -116,6 +117,7 @@
     "ansible_extra_vars": "",
     "ansible_user_vars": "",
     "build_timestamp": "{{timestamp}}",
+    "containerd_enable_limit_no_file": "false",
     "containerd_gvisor_runtime": "false",
     "containerd_gvisor_version": "latest",
     "containerd_version": null,

diff --git a/images/capi/packer/oci/packer.json b/images/capi/packer/oci/packer.json
@@ -76,6 +76,7 @@
         "OS": "{{user `distribution` | lower }}",
         "OS_VERSION": "{{user `distribution_version` | lower}}",
         "PROVIDER": "oci",
+        "containerd_enable_limit_no_file": "{{user `containerd_enable_limit_no_file`}}",
         "containerd_gvisor_runtime": "{{user `containerd_gvisor_runtime`}}",
         "containerd_gvisor_version": "{{user `containerd_gvisor_version`}}",
         "containerd_image_pull_progress_timeout": "{{user `containerd_image_pull_progress_timeout`}}",
@@ -100,6 +101,7 @@
     "base_image_ocid": "",
     "build_timestamp": "{{timestamp}}",
     "compartment_ocid": "",
+    "containerd_enable_limit_no_file": "false",
     "containerd_gvisor_runtime": "false",
     "containerd_gvisor_version": "latest",
     "containerd_image_pull_progress_timeout": null,

diff --git a/images/capi/packer/openstack/packer.json b/images/capi/packer/openstack/packer.json
@@ -93,6 +93,7 @@
         "OS": "{{user `distro_name` | lower}}",
         "OS_VERSION": "{{user `os_version`}}",
         "PROVIDER": "openstack",
+        "containerd_enable_limit_no_file": "{{user `containerd_enable_limit_no_file`}}",
         "containerd_gvisor_runtime": "{{user `containerd_gvisor_runtime`}}",
         "containerd_gvisor_version": "{{user `containerd_gvisor_version`}}",
         "containerd_image_pull_progress_timeout": "{{user `containerd_image_pull_progress_timeout`}}",
@@ -115,6 +116,7 @@
     "ansible_user_vars": "",
     "attach_config_drive": "false",
     "build_timestamp": "{{timestamp}}",
+    "containerd_enable_limit_no_file": "false",
     "containerd_gvisor_runtime": "false",
     "containerd_gvisor_version": "latest",
     "containerd_image_pull_progress_timeout": null,