-
Notifications
You must be signed in to change notification settings - Fork 456
/
component.go
153 lines (139 loc) · 5.93 KB
/
component.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
// Copyright 2021 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package kernelconfig
import (
"fmt"
"sort"
"strconv"
"k8s.io/component-helpers/node/util/sysctl"
"k8s.io/utils/pointer"
v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
"github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components"
"github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components/kubelet"
)
type component struct{}
// New returns a new kernel config component.
func New() *component {
return &component{}
}
func (component) Name() string {
return "kernel-config"
}
func (component) Config(ctx components.Context) ([]extensionsv1alpha1.Unit, []extensionsv1alpha1.File, error) {
var newData = map[string]string{}
for key, value := range data {
newData[key] = value
}
if kubelet.ShouldProtectKernelDefaultsBeEnabled(&ctx.KubeletConfigParameters, ctx.KubernetesVersion) {
// Needed configuration by kubelet
// The kubelet sets these values but it is not able to when protectKernelDefaults=true
// Ref https://github.com/gardener/gardener/issues/7069
newData[sysctl.VMOvercommitMemory] = strconv.Itoa(sysctl.VMOvercommitMemoryAlways)
newData[sysctl.VMPanicOnOOM] = strconv.Itoa(sysctl.VMPanicOnOOMInvokeOOMKiller)
newData[sysctl.KernelPanicOnOops] = strconv.Itoa(sysctl.KernelPanicOnOopsAlways)
newData[sysctl.KernelPanic] = strconv.Itoa(sysctl.KernelPanicRebootTimeout)
newData[sysctl.RootMaxKeys] = strconv.Itoa(sysctl.RootMaxKeysSetting)
newData[sysctl.RootMaxBytes] = strconv.Itoa(sysctl.RootMaxBytesSetting)
}
// Custom kernel settings for worker group
for key, value := range ctx.Sysctls {
newData[key] = value
}
// Content should be in well-defined order
keys := []string{}
for key := range newData {
keys = append(keys, key)
}
sort.Strings(keys)
fileContent := ""
for _, key := range keys {
fileContent += fmt.Sprintf("%s = %s\n", key, newData[key])
}
return []extensionsv1alpha1.Unit{
{
// it needs to be reloaded, because the /etc/sysctl.d/ files are not present, when this is started for a first time
Name: "systemd-sysctl.service",
Command: pointer.String("restart"),
Enable: pointer.Bool(true),
},
},
[]extensionsv1alpha1.File{
{
Path: v1beta1constants.OperatingSystemConfigFilePathKernelSettings,
Permissions: pointer.Int32(0644),
Content: extensionsv1alpha1.FileContent{
Inline: &extensionsv1alpha1.FileContentInline{
Data: fileContent,
},
},
},
},
nil
}
// Do not change the encoding here because extensions might modify it!
var data = map[string]string{
// A higher vm.max_map_count is great for elasticsearch, mongo, or other mmap users
// See https://github.com/kubernetes/kops/issues/1340
"vm.max_map_count": "135217728",
// See https://github.com/kubernetes/kubernetes/pull/38001
"kernel.softlockup_panic": "1",
"kernel.softlockup_all_cpu_backtrace": "1",
// See https://github.com/kubernetes/kube-deploy/issues/261
// Increase the number of connections
"net.core.somaxconn": "32768",
// Maximum Socket Receive Buffer
"net.core.rmem_max": "16777216",
// Default Socket Send Buffer
"net.core.wmem_max": "16777216",
// explicitly enable IPv4 forwarding for all interfaces by default if not enabled by the OS image already
"net.ipv4.conf.all.forwarding": "1",
"net.ipv4.conf.default.forwarding": "1",
// enable martian packets
"net.ipv4.conf.default.log_martians": "1",
// Increase the maximum total buffer-space allocatable
"net.ipv4.tcp_wmem": "4096 12582912 16777216",
"net.ipv4.tcp_rmem": "4096 12582912 16777216",
// Mitigate broken TCP connections
// https://github.com/kubernetes/kubernetes/issues/41916#issuecomment-312428731
"net.ipv4.tcp_retries2": "8",
// Increase the number of outstanding syn requests allowed
"net.ipv4.tcp_max_syn_backlog": "8096",
// For persistent HTTP connections
"net.ipv4.tcp_slow_start_after_idle": "0",
// Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
"net.ipv4.tcp_tw_reuse": "1",
// Allowed local port range.
"net.ipv4.ip_local_port_range": "32768 65535",
// Max number of packets that can be queued on interface input
// If kernel is receiving packets faster than can be processed
// this queue increases
"net.core.netdev_max_backlog": "16384",
// Increase size of file handles and inode cache
"fs.file-max": "20000000",
// Max number of inotify instances and watches for a user
// Since dockerd runs as a single user, the default instances value of 128 per user is too low
// e.g. uses of inotify: nginx ingress controller, kubectl logs -f
"fs.inotify.max_user_instances": "8192",
"fs.inotify.max_user_watches": "524288",
// HANA requirement
// See https://www.sap.com/developer/tutorials/hxe-ua-install-using-docker.html
"fs.aio-max-nr": "262144",
"vm.memory_failure_early_kill": "1",
// A common problem on Linux systems is running out of space in the conntrack table,
// which can cause poor iptables performance.
// This can happen if you run a lot of workloads on a given host,
// or if your workloads create a lot of TCP connections or bidirectional UDP streams.
"net.netfilter.nf_conntrack_max": "1048576",
}