Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow setting sysctls on a particular interface #669

Merged
merged 1 commit into from Nov 24, 2021
Merged

Allow setting sysctls on a particular interface #669

merged 1 commit into from Nov 24, 2021

Conversation

jellonek
Copy link
Member

@jellonek jellonek commented Oct 1, 2021

As in subject.

@jellonek
Allow setting sysctls on a particular interface
c16cff9 
Signed-off-by: Piotr Skamruk <piotr.skamruk@gmail.com>
@mccv1r0
Copy link
Member

mccv1r0 commented Oct 6, 2021

/lgtm

@dcbw
Copy link
Member

dcbw commented Oct 6, 2021

@jellonek could you also update the documentation at https://github.com/containernetworking/cni.dev/blob/main/content/plugins/current/meta/tuning.md with this new behavior?

@mccv1r0
Copy link
Member

mccv1r0 commented Oct 6, 2021

An argument can be made that tuning plugin should have been interface specific from the beginning, that is, each e.g. cniADD for a conflist is specific to just one IFNAME. Should we just do that?

@jellonek jellonek mentioned this pull request Oct 7, 2021
Merged
@jellonek
Copy link
Member Author

jellonek commented Oct 7, 2021

@dcbw done: containernetworking/cni.dev#92
@mccv1r0 imo it's kinda tempting, but it would cripple possibility to e.g. change sysctls for netfilters, or for bgp (in net.core). The question is - do we really want that? Even our own example in docs now is based on net.core.somaxconn.

@mars1024
Copy link
Member

mars1024 commented Oct 8, 2021

An argument can be made that tuning plugin should have been interface specific from the beginning, that is, each e.g. cniADD for a conflist is specific to just one IFNAME. Should we just do that?

I'm wondering whether replacing IFNAME is too simple to be maintained or extended further, IMO, this problems can be solved well by template rendering, e.g. go-template or jinja2, no matter the arguments coming from CNI args, network config or dynamic configuration.

@jellonek
Copy link
Member Author

jellonek commented Oct 8, 2021

@mccv1r0 imo we should move discussion about if we want or not limiting changing sysctls only to net.ipv[46].conf.IFNAME to a separate issue, as a followup. For sure that would be breaking change and would require a bump to 1.1.0.
fyi: i seen in wild tuning plugin used like:

apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: enable-forwarding
spec:
  config: '{
      "cniVersion": "0.3.1",
      "plugins": [
        {
          "type": "loopback"
        },
        {
          "name": "enable-forwarding",
          "type": "tuning",
          "sysctl": {
                  "net.ipv4.conf.all.forwarding": "1",
                  "net.ipv6.conf.all.forwarding": "1",
                  "net.ipv6.conf.default.forwarding":"1",
                  "net.ipv6.conf.default.disable_ipv6":"0",
                  "net.ipv6.conf.all.disable_ipv6": "0",
                  "net.ipv4.conf.default.rp_filter": "2",
                  "net.ipv4.conf.all.rp_filter": "2"
          }
        }
      ]
    }'

@dcbw
Copy link
Member

dcbw commented Nov 24, 2021

/lgtm

@matthewdupre matthewdupre merged commit 57e95c5 into master Nov 24, 2021
@jellonek jellonek deleted the jell/per_if_sysctl branch April 14, 2022 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mccv1r0 mccv1r0 mccv1r0 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@jellonek @mccv1r0 @dcbw @mars1024 @matthewdupre