How to enable memory_lock using docker image in k8s?

Version (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 1.3.6 docker image

Describe the issue:
deploy a statefulset with docker image v1.3.6 in k8s. Set the environment variable: bootstrap.memory_lock=true, and after the container started, it failed to lock the memory, and output these information:

2023-02-07 21:03:17 [2023-02-07T13:03:17,021][WARN ][o.o.b.JNANatives         ] [1161fe6d39a9] Unable to lock JVM Memory: error=12, reason=Cannot allocate memory
2023-02-07 21:03:12 WARNING: A terminally deprecated method in java.lang.System has been called
2023-02-07 21:03:12 WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/opensearch/lib/opensearch-2.5.0.jar)
2023-02-07 21:03:12 WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
2023-02-07 21:03:12 WARNING: System::setSecurityManager will be removed in a future release
2023-02-07 21:03:17 [2023-02-07T13:03:17,023][WARN ][o.o.b.JNANatives         ] [1161fe6d39a9] This can result in part of the JVM being swapped out.
2023-02-07 21:03:17 [2023-02-07T13:03:17,024][WARN ][o.o.b.JNANatives         ] [1161fe6d39a9] Increase RLIMIT_MEMLOCK, soft limit: 65536, hard limit: 65536
2023-02-07 21:03:17 [2023-02-07T13:03:17,025][WARN ][o.o.b.JNANatives         ] [1161fe6d39a9] These can be adjusted by modifying /etc/security/limits.conf, for example: 
2023-02-07 21:03:17     # allow user 'opensearch' mlockall
2023-02-07 21:03:17     opensearch soft memlock unlimited
2023-02-07 21:03:17     opensearch hard memlock unlimited
2023-02-07 21:03:17 [2023-02-07T13:03:17,025][WARN ][o.o.b.JNANatives         ] [1161fe6d39a9] If you are logged in interactively, you will have to re-login for the new limits to take effect.

And then i build my own image using tarball and centos7,

ARG UID=1000
ARG GID=1000
ARG OPENSEARCH_HOME=/usr/share/opensearch
RUN groupadd -g $GID opensearch \
  && adduser -u $UID -g $GID -d $OPENSEARCH_HOME opensearch \
  && echo "" >> /etc/security/limits.conf \
  && echo "root soft memlock unlimited" >> /etc/security/limits.conf \
  && echo "root hard memlock unlimited" >> /etc/security/limits.conf \
  && echo "opensearch soft memlock unlimited" >> /etc/security/limits.conf \
  && echo "opensearch hard memlock unlimited" >> /etc/security/limits.conf

COPY --chown=1000:1000 ./opensearch-1.3.6 /usr/share/opensearch 
WORKDIR /usr/share/opensearch
RUN echo "export JAVA_HOME=$OPENSEARCH_HOME/jdk" >> /etc/profile.d/ \
  && echo "export PATH=\$PATH:\$JAVA_HOME/bin" >> /etc/profile.d/
ENV JAVA_HOME=/usr/share/opensearch/jdk
ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/share/opensearch/jdk/bin:/usr/share/opensearch/bin
ENV LD_LIBRARY_PATH=:/usr/share/opensearch/plugins/opensearch-knn/lib

RUN /bin/sh -c ./ 
EXPOSE 9200/tcp 9300/tcp 9600/tcp 5601/tcp
CMD ["opensearch"]

Main content in is:

    if [[ "$(id -u)" == "0" ]]; then
        # Start opensearch
        echo "OpenSearch cannot run as root. We will start opensearch with user[id: 1000]"
        su opensearch
        exec chroot --userspec "1000:1000" "/" "$@" "${opensearch_opts[@]}" & OPENSEARCH_PID=$!

        # Start performance analyzer agent
        exec chroot --userspec "1000:1000" "/" $OPENSEARCH_HOME/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli > $OPENSEARCH_HOME/logs/performance-analyzer.log 2>&1 & PA_PID=$!
         # Start opensearch
        echo "OpenSearch will run as user[id: 1000]."
        "$@" "${opensearch_opts[@]}" &

        # Start performance analyzer agent
        $OPENSEARCH_HOME/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli > $OPENSEARCH_HOME/logs/performance-analyzer.log 2>&1 &

Still, it failed to lock memory even the limits.conf contains right config. Then, i logged into the container with user root, and exec the commands, the limits.conf works after i re-login user root or user opensearch.

My Question is: how to build an docker image which can lock memory in k8s statefulset?

any advice would be appreciated. thank you.

interesting. @bbarani84 @peternied would you have insight to share on @gugugu’s question? thank you