Add support for setting sysctls

[rhatdan]

This patch will allow users to specify namespace specific "kernel parameters"
for running inside of a container.

Dan Walsh dwalsh@redhat.com

Signed-off-by: Dan Walsh dwalsh@redhat.com

[rhatdan]

This pull request replaces #16632

[rhatdan]

Opened pull request for engine-api docker/engine-api#38

[thaJeztah]

should we say "not valid" here, or something that gives the user a clue that it's not supported / whitelisted?

[rhatdan]

How about
sysctl %s is not a namespaced kernel parameter

[thaJeztah]

could work; is that true for all kernel versions though? Perhaps we should mention that we don't support it in stead? Open to better suggestions though

[rhatdan]

Well then we get a bug report telling us it is a namespaced kernel parameter. If we say unsupported, user might ignore.

[tianon]

IMO mentioning that it's "not whitelisted" makes it more clear to the user that they can come make the case for why it should be added 😇

[rhatdan]

Well if you guys come to consensus I will change the message. :^)

[thaJeztah]

I'm good with "not whitelisted"

and good news; this has been moved to code review!

[cpuguy83]

Are all these actually namespaced from 3.10+?

[rhatdan]

man namespaces
...
   IPC namespaces (CLONE_NEWIPC)
...

       *  The System V IPC interfaces in /proc/sys/kernel, namely: msgmax,
          msgmnb, msgmni, sem, shmall, shmmax, shmmni, and shm_rmid_forced.

[mysterlune]

would you consider adding kernel.perf_event_paranoid and kernel.kptr_restrict to the whitelist?

as a use case: i'm working on a proof of concept around flame graphs, visualizing perf event data in a containerized node.js app following along the work here https://gist.github.com/trevnorris/9616784.

have had a devil of a time sorting out getting these kernel parameters to stick in a running container. came upon your PR, and am stoked to see a --sysctl flag in the works.

[rhatdan]

@mysterlune Do you know if these sysctls are namespaced? If you set them inside of the container, do the settings show up outside of the container? If not, then we would add them, if yes then we will not add them.

You could test this by running a --privileged container.

[mysterlune]

hey @rhatdan,

so i ran the container with the --privileged flag as such (as you can see, i'm on a mac; unsure if this matters to this experiment):

docker run -d -p 8080:8080 --name foobar -v /Users/rlune/gitproj/observable_node_poc:/src -v /Users/rlune/gitproj/observable_node_poc:/tmp --privileged observable-node-poc

... and got:

d137a82d7731ab095c484d0e70dd96081c275cf43c50100128ad5ea44e40cb01

... then, exec'd a bash session:

docker exec -it d137a82d7731ab095c484d0e70dd96081c275cf43c50100128ad5ea44e40cb01 bash

... checked the host machine for the kernel flags next...:

16:24 rlune@oakm111430f01:~/gitproj/observable_node_poc $ sysctl -a | grep kernel.perf_event_paranoid
16:25 rlune@oakm111430f01:~/gitproj/observable_node_poc $ sysctl -a | grep kernel.kptr_restrict

... received no output for each lookup. then, set the flags on the instance running in the container:

[root@d137a82d7731 app]# sysctl -w kernel.kptr_restrict=1
kernel.kptr_restrict = 1
[root@d137a82d7731 app]# sysctl -w kernel.perf_event_paranoid=1
kernel.perf_event_paranoid = 1

... read the keys on the image:

[root@d137a82d7731 app]# sysctl -a | grep kernel.kptr_restrict      
kernel.kptr_restrict = 1
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"

[and got the same sort of output for the `kernel.perf_event_paranoid` also]

... then checked the host machine again:

16:24 rlune@oakm111430f01:~/gitproj/observable_node_poc $ sysctl -a | grep kernel.perf_event_paranoid
16:25 rlune@oakm111430f01:~/gitproj/observable_node_poc $ sysctl -a | grep kernel.kptr_restrict

... and did not see any lookup output for those keys.

is this test sufficient to determine that the kernel.perf_event_paranoid and kernel.kptr_restrict keys are namespaced in a way that will allow their addition to this PR?

[rhatdan]

Not sure if it is enough, but it certainly looks good. I guess if you ran another container and made sure they were different.

@jeremyeder PTAL

[mysterlune]

dang it... it doesn't look like those flags are namespaced if i run two containers and set the flags within one of them... they show up as such in the other...

so, how does a flag get "namespaced" so that this collision doesn't happen?

[rhatdan]

You write a kernel patch. :^(

[rhatdan]

Now that we are in docker-1.11 could we get this pull request moving. @calavera @cpuguy83

[thaJeztah]

We're okay with this, moving to code review, unless @crosbymichael has major concerns

[thaJeztah]

ping @calavera @cpuguy83 PTAL

[cpuguy83]

Just need to update the engine-api vendor, otherwise code LGTM.

[thaJeztah]

Looks like this needs another rebase @rhatdan 😢

[rhatdan]

Done.

[thaJeztah]

ping @vdemeester ptal

[vdemeester]

LGTM 🐰
gccgo is SUCCESS and windowsTP5 fails with a known flakey test.. merging 😉

[thaJeztah]

🎉 thanks @rhatdan!

[brunoborges]

Has anybody tested --sysctl to tweak net.ipv4.tcp_syn_retries to reduce global timeout for TCP connections inside the container? Does it work?

[vingrad]

How can I use sysctl option with a compose file?

[thaJeztah]

@vingrad this feature is not released yet (it will be in docker 1.12), also, that's a better question for the docker compose issue tracker; https://github.com/docker/compose/issues

[merryisfriend]

Now can we use sysctl option with a dockerfile? I have some of parameters to set in container. @rhatdan

[cpuguy83]

No, you can't persist sysctls in an image.

[vinujan59]

ubuntu@ip:~$ docker --version
Docker version 19.03.2, build 6a30dfc

ubuntu@ip:~$ uname -r
4.15.0-1051-aws

ubuntu@ip:~$ sysctl net.core.rmem_default
net.core.rmem_default = 212992

ubuntu@ip:~$ docker run  --privileged  -it ubuntu:16.04 uname -r
4.15.0-1051-aws

ubuntu@ip:~$ docker run  --privileged  -it ubuntu:16.04  sysctl net.core.rmem_default
sysctl: cannot stat /proc/sys/net/core/rmem_default: No such file or directory

ubuntu@ip:~$ docker run  --privileged --sysctl net.core.rmem_default=524288  -it ubuntu:16.04  /bin/bash
docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "process_linux.go:430: container init caused \"write sysctl key net.core.rmem_default: open /proc/sys/net/core/rmem_default: no such file or directory\"": unknown.

ubuntu@ip:~$ docker run  --privileged  --network="host" -it ubuntu:16.04  sysctl net.core.rmem_default
net.core.rmem_default = 212992

• Have the latest docker version
• the host has the parameter net.core.rmem_default
• the same kernel will be used by the running container
• the container doesn't have this parameter and not settable as well
• but with host network mode, it can be verified in the container, the value is being shared
  -- implies that net.core.rmem_default is namespaced

is docker doesn't support net.core.rmem_default parameter?

[cpuguy83]

The kernel does not support setting that value in a non-root (that is "root" as in the base, not a user) network namespace.

[vinujan59]

Hi Brian,

Thank you for your reply.

I could not get the part "non-root network namespace".

Can you please ellaborate

Thanks