New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow setting some "safe" per-container sysctls #5095
Comments
This (and similar) is a system-wide setting, no? A quick search shows that several applications (e.g., riak, php, mysql) advise tuning /proc/sys parameters. We'll likely need a model for setting these parameters based on pod/container requirements (e.g., black-box configuration vs. semantic awareness of the knobs), and will need to decide what to do when different applications request different values (e.g., scheduling exclusion vs. max. of all requirements). |
It's not clear whether this one in particular is inherited from the system On Thu, Mar 5, 2015 at 9:16 AM, Brian Grant notifications@github.com
|
The reporter made it sound like it was a per-interface setting. |
I have it on good authority that the sysctls in |
Any progress on this? |
Docker 1.12 seems to receive support for per-container sysctls. |
@dchen1107 @vishh would be nice to queue this up, even though we'll On Tue, May 3, 2016 at 9:51 AM, janosi notifications@github.com wrote:
|
@thockin @erictune Given that moby/moby#19265 is done, how do you think sysctl options will be represented in our API? |
I expect it would be similar in structure. Either a per-pod or On Wed, May 4, 2016 at 11:07 AM, Vish Kannan notifications@github.com
|
@vishh I do not know whether it matters or not, but you referenced wrong Docker github issue. On pod vs. container level: one would think, it depends on whether a given parameter is in a pod level namespace or not, and consequently maybe both is needed (pod and container). According to the Docker issue above, the following sysctls are supported currently: As I understand, both IPC and Network namespaces are on pod level. So, for the time being, if one considers only the current set of sysctls, a pod level option would be fine. But of course, it is your decision if you want to prepare for a future option in a per-container namespace. One more thing: Docker does not allow the definition of these sysctls if the host namespace is used for the relevant parameter. I wonder if you would like to implement similar logic based on the other parameters of the pod, or you just let Docker to do its job. |
Issues go stale after 30d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
looks like it's already in safe list? |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
A GCE ContainerVM used on IRC asked how to set SOMAXCONN within his container.
That is not possible in an unprivileged container because
/proc/sys
is not writeable.If the user tries to set
containerManifest.containers[i].privileged=true
then a validation error occurs.I can't tell if that validation error is occuring only at the kubelet or also at some layer of the containerVM system. At any rate, the user would at least need to set
--allow_privileged=true
on the kubelet. Not sure if that is possible with ContainerVM.For kubernetes, we would not want the user to have to set a blanket allow_privileged on kubelet and apiserver just to tune this parameter.
The text was updated successfully, but these errors were encountered: