From 9bededd1071da68178ab0433354fc5b56596f408 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 12 May 2026 10:21:59 +0000
Subject: [PATCH] fix: protect mastercontainer from OOM situations

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/d5e09741-3bc4-4667-90ad-0256383a953d

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
---
 Containers/mastercontainer/Dockerfile | 2 +-
 compose.yaml                          | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/Containers/mastercontainer/Dockerfile b/Containers/mastercontainer/Dockerfile
index 61cfbbcf..b3f334e3 100644
--- a/Containers/mastercontainer/Dockerfile
+++ b/Containers/mastercontainer/Dockerfile
@@ -74,7 +74,7 @@ RUN set -ex; \
     apk del .build-deps; \
     grep -q '^pm = dynamic' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
+    sed -i 's/^pm.max_children =.*/pm.max_children = 10/' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
     grep -q '^listen =' /usr/local/etc/php-fpm.d/docker.conf; \
     sed -i 's|listen =.*|listen = /run/php.sock|' /usr/local/etc/php-fpm.d/docker.conf; \
diff --git a/compose.yaml b/compose.yaml
index d3220cb0..132b5d8c 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -4,6 +4,7 @@ services:
     image: ghcr.io/nextcloud-releases/all-in-one:latest # This is the container image used. You can switch to ghcr.io/nextcloud-releases/all-in-one:beta if you want to help testing new releases. See https://github.com/nextcloud/all-in-one#how-to-switch-the-channel
     init: true # This setting makes sure that signals from main process inside the container are correctly forwarded to children. See https://docs.docker.com/reference/compose-file/services/#init
     restart: always # This makes sure that the container starts always together with the host OS. See https://docs.docker.com/reference/compose-file/services/#restart
+    oom_score_adj: -500 # This makes the Linux OOM killer significantly less likely to kill the mastercontainer, keeping the AIO interface accessible even under memory pressure. The range is -1000 (never kill) to 1000 (kill first); -500 provides strong protection while still allowing the OOM killer to act on this container as a last resort if it were to run out of control.
     container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
     volumes:
       - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work