My containers keep dying and I finally know why
Three weeks ago I pushed a new image to prod. Thirty minutes later my pager screamed. Logs showed the service alive, but every request hung. No errors. Just silence.
The culprit? A dead TCP connection the kernel refused to drop. Default settings let it sit there for 30 minutes before giving up.
That’s like waiting half an hour for a dead phone line before redialing.
The tiny knob that fixes everything
Linux keeps a list of retry rules under /proc/sys/net/ipv4/. Two numbers matter most:
tcp_retries1– how many times to try before assuming the network is brokentcp_retries2– the final count before the kernel kills the socket
Out of the box tcp_retries2 is 15. On most networks that equals 15–30 minutes of limbo.
I changed it to 5 in staging. Average stall time dropped from 20 minutes to 3 minutes flat.
Copy-paste fix for Docker hosts
Create a file and paste two lines:
sudo tee /etc/sysctl.d/99-fast-fail.conf <<EOF
net.ipv4.tcp_retries1 = 2
net.ipv4.tcp_retries2 = 5
EOF
sudo sysctl -p /etc/sysctl.d/99-fast-fail.conf
The new settings survive a reboot and apply to every container on the box.
Doing it the Kubernetes way
If you run on K8s, add a block to the pod spec:
apiVersion: v1
kind: Pod
metadata:
name: tuned-app
spec:
securityContext:
sysctls:
- name: net.ipv4.tcp_retries2
value: "5"
containers:
- name: app
image: mycorp/app:latest
Remember: the cluster must allow “unsafe” sysctls. Ask your admin first.
Don’t forget the zombies
Idle sockets can still eat RAM. Turn on keepalives to flush them:
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 5
Ten minutes idle → 30-second probes → five strikes and out.
Real numbers from my last incident
Before tuning:
- Average outage: 27 minutes
- Peak stuck sockets: 14 k
After tuning:
- Average outage: 3.1 minutes
- Peak stuck sockets: 2 k
Users stopped tweeting about “slowness”. My pager stopped buzzing.
Quick checklist
- Test in staging first – flaky networks may need gentler settings
- Watch
ss -tifor retransmission counts - Document the change – future you will thank present you
- Set application timeouts shorter than kernel timeouts for graceful fallbacks
One small number, one giant leap for uptime.
Full sysctl docs are right here if you want to dig deeper.
