Add support for setting sysctls by rhatdan · Pull Request #19265 · moby/moby

rhatdan · 2016-01-12T18:50:52Z

This patch will allow users to specify namespace specific "kernel parameters"
for running inside of a container.

Dan Walsh dwalsh@redhat.com

Signed-off-by: Dan Walsh dwalsh@redhat.com

rhatdan · 2016-01-12T18:51:27Z

This pull request replaces #16632

rhatdan · 2016-01-12T19:43:43Z

Opened pull request for engine-api docker-archive-public/docker.engine-api#38

thaJeztah · 2016-01-12T20:03:53Z

should we say "not valid" here, or something that gives the user a clue that it's not supported / whitelisted?

How about
sysctl %s is not a namespaced kernel parameter

could work; is that true for all kernel versions though? Perhaps we should mention that we don't support it in stead? Open to better suggestions though

Well then we get a bug report telling us it is a namespaced kernel parameter. If we say unsupported, user might ignore.

IMO mentioning that it's "not whitelisted" makes it more clear to the user that they can come make the case for why it should be added 😇

Well if you guys come to consensus I will change the message. :^)

I'm good with "not whitelisted"

and good news; this has been moved to code review!

cpuguy83 · 2016-01-29T19:33:05Z

Are all these actually namespaced from 3.10+?

man namespaces ... IPC namespaces (CLONE_NEWIPC) ... * The System V IPC interfaces in /proc/sys/kernel, namely: msgmax, msgmnb, msgmni, sem, shmall, shmmax, shmmni, and shm_rmid_forced.

would you consider adding kernel.perf_event_paranoid and kernel.kptr_restrict to the whitelist?

as a use case: i'm working on a proof of concept around flame graphs, visualizing perf event data in a containerized node.js app following along the work here https://gist.github.com/trevnorris/9616784.

have had a devil of a time sorting out getting these kernel parameters to stick in a running container. came upon your PR, and am stoked to see a --sysctl flag in the works.

@mysterlune Do you know if these sysctls are namespaced? If you set them inside of the container, do the settings show up outside of the container? If not, then we would add them, if yes then we will not add them.

You could test this by running a --privileged container.

hey @rhatdan,

so i ran the container with the --privileged flag as such (as you can see, i'm on a mac; unsure if this matters to this experiment):

docker run -d -p 8080:8080 --name foobar -v /Users/rlune/gitproj/observable_node_poc:/src -v /Users/rlune/gitproj/observable_node_poc:/tmp --privileged observable-node-poc

... and got:

d137a82d7731ab095c484d0e70dd96081c275cf43c50100128ad5ea44e40cb01

... then, exec'd a bash session:

docker exec -it d137a82d7731ab095c484d0e70dd96081c275cf43c50100128ad5ea44e40cb01 bash

... checked the host machine for the kernel flags next...:

16:24 rlune@oakm111430f01:~/gitproj/observable_node_poc $ sysctl -a | grep kernel.perf_event_paranoid 16:25 rlune@oakm111430f01:~/gitproj/observable_node_poc $ sysctl -a | grep kernel.kptr_restrict

... received no output for each lookup. then, set the flags on the instance running in the container:

[root@d137a82d7731 app]# sysctl -w kernel.kptr_restrict=1 kernel.kptr_restrict = 1 [root@d137a82d7731 app]# sysctl -w kernel.perf_event_paranoid=1 kernel.perf_event_paranoid = 1

... read the keys on the image:

[root@d137a82d7731 app]# sysctl -a | grep kernel.kptr_restrict kernel.kptr_restrict = 1 sysctl: reading key "net.ipv6.conf.all.stable_secret" sysctl: reading key "net.ipv6.conf.default.stable_secret" sysctl: reading key "net.ipv6.conf.eth0.stable_secret" sysctl: reading key "net.ipv6.conf.lo.stable_secret" [and got the same sort of output for the `kernel.perf_event_paranoid` also]

... then checked the host machine again:

16:24 rlune@oakm111430f01:~/gitproj/observable_node_poc $ sysctl -a | grep kernel.perf_event_paranoid 16:25 rlune@oakm111430f01:~/gitproj/observable_node_poc $ sysctl -a | grep kernel.kptr_restrict

... and did not see any lookup output for those keys.

is this test sufficient to determine that the kernel.perf_event_paranoid and kernel.kptr_restrict keys are namespaced in a way that will allow their addition to this PR?

Not sure if it is enough, but it certainly looks good. I guess if you ran another container and made sure they were different.

@jeremyeder PTAL

dang it... it doesn't look like those flags are namespaced if i run two containers and set the flags within one of them... they show up as such in the other...

so, how does a flag get "namespaced" so that this collision doesn't happen?

You write a kernel patch. :^(

rhatdan · 2016-02-09T18:10:05Z

Now that we are in docker-1.11 could we get this pull request moving. @calavera @cpuguy83

thaJeztah · 2016-02-18T19:45:37Z

We're okay with this, moving to code review, unless @crosbymichael has major concerns

thaJeztah · 2016-02-29T12:15:22Z

ping @calavera @cpuguy83 PTAL

cpuguy83 · 2016-02-29T15:54:11Z

Just need to update the engine-api vendor, otherwise code LGTM.

thaJeztah · 2016-03-02T21:25:00Z

Looks like this needs another rebase @rhatdan 😢

rhatdan · 2016-03-02T22:01:15Z

Done.

thaJeztah · 2016-04-13T16:21:40Z

ping @vdemeester ptal

vdemeester · 2016-04-13T16:36:21Z

LGTM 🐰
gccgo is SUCCESS and windowsTP5 fails with a known flakey test.. merging 😉

thaJeztah · 2016-04-13T16:37:34Z

🎉 thanks @rhatdan!

brunoborges · 2016-04-28T02:21:20Z

Has anybody tested --sysctl to tweak net.ipv4.tcp_syn_retries to reduce global timeout for TCP connections inside the container? Does it work?

Upstream reference: moby#19265 This patch will allow users to specify namespace specific "kernel parameters" for running inside of a container. Signed-off-by: Dan Walsh <dwalsh@redhat.com> Signed-off-by: Antonio Murdaca <runcom@redhat.com>

vingrad · 2016-06-09T13:02:17Z

How can I use sysctl option with a compose file?

thaJeztah · 2016-06-09T13:33:22Z

@vingrad this feature is not released yet (it will be in docker 1.12), also, that's a better question for the docker compose issue tracker; https://github.com/docker/compose/issues

This patch will allow users to specify namespace specific "kernel parameters" for running inside of a container. cherry-pick from: moby#19265 conflicts: contrib/completion/bash/docker docs/reference/commandline/create.md docs/reference/commandline/run.md man/docker-create.1.md man/docker-run.1.md runconfig/opts/parse.go Signed-off-by: Dan Walsh <dwalsh@redhat.com> Signed-off-by: Lei Jitang <leijitang@huawei.com>

Add support for setting sysctls This patch will allow users to specify namespace specific "kernel parameters" for running inside of a container. cherry-pick from: moby#19265 conflicts: contrib/completion/bash/docker docs/reference/commandline/create.md docs/reference/commandline/run.md man/docker-create.1.md man/docker-run.1.md runconfig/opts/parse.go Signed-off-by: Dan Walsh <dwalsh@redhat.com> Signed-off-by: Lei Jitang <leijitang@huawei.com> This is a feature request from euleros. See merge request docker/docker!385

merryisfriend · 2017-12-06T08:35:44Z

Now can we use sysctl option with a dockerfile? I have some of parameters to set in container. @rhatdan

cpuguy83 · 2017-12-06T11:45:16Z

No, you can't persist sysctls in an image.

vinujan59 · 2019-10-10T06:30:32Z

ubuntu@ip:~$ docker --version
Docker version 19.03.2, build 6a30dfc

ubuntu@ip:~$ uname -r
4.15.0-1051-aws

ubuntu@ip:~$ sysctl net.core.rmem_default
net.core.rmem_default = 212992

ubuntu@ip:~$ docker run  --privileged  -it ubuntu:16.04 uname -r
4.15.0-1051-aws

ubuntu@ip:~$ docker run  --privileged  -it ubuntu:16.04  sysctl net.core.rmem_default
sysctl: cannot stat /proc/sys/net/core/rmem_default: No such file or directory

ubuntu@ip:~$ docker run  --privileged --sysctl net.core.rmem_default=524288  -it ubuntu:16.04  /bin/bash
docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "process_linux.go:430: container init caused \"write sysctl key net.core.rmem_default: open /proc/sys/net/core/rmem_default: no such file or directory\"": unknown.

ubuntu@ip:~$ docker run  --privileged  --network="host" -it ubuntu:16.04  sysctl net.core.rmem_default
net.core.rmem_default = 212992

Have the latest docker version
the host has the parameter net.core.rmem_default
the same kernel will be used by the running container
the container doesn't have this parameter and not settable as well
but with host network mode, it can be verified in the container, the value is being shared
-- implies that net.core.rmem_default is namespaced

is docker doesn't support net.core.rmem_default parameter?

cpuguy83 · 2019-10-10T13:11:21Z

The kernel does not support setting that value in a non-root (that is "root" as in the base, not a user) network namespace.

vinujan59 · 2019-10-10T13:34:11Z

Hi Brian,

Thank you for your reply.

I could not get the part "non-root network namespace".

Can you please ellaborate

Thanks

GordonTheTurtle added the status/0-triage label Jan 12, 2016

rhatdan mentioned this pull request Jan 12, 2016

Set sysctl/Namespace kernel parameters within the container docker-archive-public/docker.engine-api#38

Merged

thaJeztah reviewed Jan 12, 2016
View reviewed changes

rhatdan force-pushed the netsysctl branch from 6a3f8b9 to 21e01f7 Compare January 13, 2016 14:31

calavera added status/1-design-review and removed status/0-triage labels Jan 13, 2016

cpuguy83 reviewed Jan 29, 2016
View reviewed changes

rhatdan force-pushed the netsysctl branch from 21e01f7 to 5d88bfd Compare February 8, 2016 15:21

thaJeztah added the status/needs-attention Calls for a collective discussion during a review session label Feb 15, 2016

thaJeztah added status/2-code-review and removed status/1-design-review status/needs-attention Calls for a collective discussion during a review session labels Feb 18, 2016

rhatdan force-pushed the netsysctl branch 3 times, most recently from 7269711 to ab2c413 Compare February 19, 2016 15:25

rhatdan force-pushed the netsysctl branch from ab2c413 to aad93e3 Compare February 26, 2016 21:24

icecrime added the status/failing-ci Indicates that the PR in its current state fails the test suite label Feb 29, 2016

rhatdan force-pushed the netsysctl branch from aad93e3 to 628dee5 Compare February 29, 2016 17:15

rhatdan force-pushed the netsysctl branch from 628dee5 to c32945f Compare March 2, 2016 22:01

rhatdan force-pushed the netsysctl branch 2 times, most recently from d6a278d to 1a5db4b Compare March 2, 2016 22:12

thaJeztah mentioned this pull request Mar 8, 2016

sysctl tunables #4717

Closed

vdemeester merged commit 988508a into moby:master Apr 13, 2016

This was referenced Apr 13, 2016

Shouldn't we set overcommit_memory=1? redis/docker-library-redis#19

Closed

WARNING: /proc/sys/net/core/somaxconn is set to the lower value of 128. redis/docker-library-redis#35

Closed

janosi mentioned this pull request May 3, 2016

Allow setting some "safe" per-container sysctls kubernetes/kubernetes#5095

Closed

marcelmfs mentioned this pull request May 4, 2016

ping host.net_default is instant, ping host takes 5 seconds consistently #21126

Closed

chris-rock mentioned this pull request May 25, 2016

Use travis for integration testing dev-sec/chef-os-hardening#115

Closed

jimmyxian mentioned this pull request Jun 6, 2016

Keep track of the missing API in Swarm docker-archive/classicswarm#2333

Closed

23 tasks

thaJeztah mentioned this pull request Jun 13, 2016

how can i change the value of /proc/sys/kernel/shmmax in a container? #10176

Closed

mdshuai mentioned this pull request Jul 12, 2016

Add sysctl proposal kubernetes/kubernetes#26057

Closed

12 tasks

This was referenced Jul 26, 2016

Add 'sysctl' option support docker/compose#3765

Closed

Add 'sysctl' option support docker/docker-py#1144

Closed

katieannemills mentioned this pull request Aug 13, 2016

Docker help IQuOD/AutoQC#185

Closed

ebr mentioned this pull request Aug 15, 2016

Support --sysctl rancher/rancher#5730

Closed

unsystemizer mentioned this pull request Apr 30, 2017

Optimization for MongoDB and redis - disable hugepages CounterpartyXCP/federatednode#295

Closed

thaJeztah mentioned this pull request Mar 20, 2018

sysctl "kern.maxfiles" is not in a separate kernel namespace: unknown #36640

Closed

Conversation

rhatdan commented Jan 12, 2016

Uh oh!

rhatdan commented Jan 12, 2016

Uh oh!

rhatdan commented Jan 12, 2016

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

rhatdan commented Feb 9, 2016

Uh oh!

thaJeztah commented Feb 18, 2016

Uh oh!

thaJeztah commented Feb 29, 2016

Uh oh!

cpuguy83 commented Feb 29, 2016

Uh oh!

thaJeztah commented Mar 2, 2016

Uh oh!

rhatdan commented Mar 2, 2016

Uh oh!

thaJeztah commented Apr 13, 2016

Uh oh!

vdemeester commented Apr 13, 2016

Uh oh!

thaJeztah commented Apr 13, 2016

Uh oh!

brunoborges commented Apr 28, 2016

Uh oh!

vingrad commented Jun 9, 2016

Uh oh!

thaJeztah commented Jun 9, 2016

Uh oh!

merryisfriend commented Dec 6, 2017

Uh oh!

cpuguy83 commented Dec 6, 2017

Uh oh!

vinujan59 commented Oct 10, 2019 • edited by thaJeztah Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cpuguy83 commented Oct 10, 2019 via email • edited by thaJeztah Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

vinujan59 commented Oct 10, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

vinujan59 commented Oct 10, 2019 •

edited by thaJeztah

Loading

cpuguy83 commented Oct 10, 2019 via email •

edited by thaJeztah

Loading