Add support for sysctl options in services

[dperny]

- What I did
Adds support for sysctl options in docker services.

• Adds API plumbing for creating services with sysctl options set.
• Adds swagger.yaml documentation for new API field.
• Changes executor package to make use of the Sysctls field on objects
• Includes integration test to verify that new behavior works.

Essentially, everything needed to support the equivalent of docker run's --sysctl option except the CLI.

Depends on docker/swarmkit#2729, which is not merged yet, and so has my fork branch of swarmkit vendored in to demonstrate passing integration test.

- How I did it

Altered all of the API objects and plumbing to accommodate the new field, which swarmkit blindly passes into the executor.

- How to verify it

Includes an integration test.

Related issues:

• partially addresses #25209 Add support for --security-opt, --syscall, --ulimit...to swarm mode
• fixes/addresses #31961 Configure namespaced kernel parameters use docker service
• fixes/addresses #33649 Daemon default values of namespaced kernel parameters
• fixes/addresses #31208 Idle connections over overlay network ends up in a broken state after 15 minutes
• fixes/addresses #37466 #37466 (comment) connections get "stuck" in swarm between wildfly and postgres
• fixes/addresses #35082 [SWARM] Very poor performance for ingress network with lots of parallel requests
• fixes/addresses #31746 Pauses/delays with overlay network on swarm
• fixes/addresses docker-library/redis#35 WARNING: /proc/sys/net/core/somaxconn is set to the lower value of 128
• relates to moby/libentitlement#35 Support sysctl / kernel params configuration

- Description for the changelog

Add support for sysctl options on docker services.

[thaJeztah]

Thanks! Left comments/thoughts inline. We should also look at the docker/cli side for this (and add this option to the docker-compose file format)

[thaJeztah]

Can you add a skip for older daemon versions? (assuming this is planned for inclusion in API 1.39)

	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.39"), "feature was added in API version 1.39")

[thaJeztah]

Do we need a separate test for service update ? (perhaps overkill)

[dperny]

Yes, we should make one, actually, to verify that service update goes through correctly when Sysctls are changed.

[thaJeztah]

Wondering if a subtest would make this clearer 🤔

for _, expected := range []string{"0", "1"} {
    t.Run(fmt.Sprintf("net.ipv4.ip_nonlocal_bind = %s", expected), func(t *testing.T) {
		// store the map we're going to be using everywhere.
 		sysctlOpts := map[string]string{"net.ipv4.ip_nonlocal_bind": expected}
 		...            
    })
}

[dperny]

I don't think that a subtest is useful honestly, because it's just 1 test, we're just trying two values so we don't have to know what the default is.

[thaJeztah]

Was looking if we should have a more generic service create test where we define a list of specs to create services with. Agreed that it's just a minor issue; advantage would be to more easily find which of the test-cases failed

[thaJeztah]

Services should already be removed when the test completes, so I think we can skip this, and just continue with the next iteration

[thaJeztah]

We don't need a name for this service, so better remove it, and just use the serviceID (which is already used)

[thaJeztah]

Remove the name

[thaJeztah]

Should we use service logs instead?

[dperny]

As the person ostensibly responsible for service logs, no.

[thaJeztah]

In that case, we must skip the test if it's running on a multi-node swarm.

[thaJeztah]

Let me think about this;

Instead of using the container's / service's logs to check if the value was set, could we abuse the container's command for this (something like if cat /proc/sys/net/ipv4/ip_nonlocal_bind != expected value; exit 1)?

Thinking a bit further about this; I'm wondering if we need to check this at all. Creating a container with custom sysctl settings is an existing feature. The only thing being added in this PR is that that container is now created through SwarmKit instead of docker run.

Because of that, I think all we need to verify is if the container-spec is correct (the expected sysctl options are set).

[dperny]

Instead of using the container's / service's logs to check if the value was set, could we abuse the container's command for this (something like if cat /proc/sys/net/ipv4/ip_nonlocal_bind != expected value; exit 1)?

What do you think is better about doing it this way? Having containers exit in a swarm service test leaves us dealing with swarmkit rescheduling those containers.

Thinking a bit further about this; I'm wondering if we need to check this at all. Creating a container with custom sysctl settings is an existing feature. The only thing being added in this PR is that that container is now created through SwarmKit instead of docker run.

We do, actually, to make sure that the value of the Sysctls is plumbed through correctly. When writing this test, I actually missed a location where the value was plumbed through and so the value was making its way into the container spec, but not into the actual container.

[thaJeztah]

We do, actually, to make sure that the value of the Sysctls is plumbed through correctly.

Discussed this with @dperny on Slack; inspecting the container should contain enough information that the correct container-spec was created. Creating containers from a spec/config is already covered by other tests, so for this feature we don't have to test that part 👍

[thaJeztah]

Can you add an example here?

Sysctls:
  description: "Set kernel namedspaced parameters (sysctls) in the container."
  type: "object"
  additionalProperties:
    type: "string"
  example:
    net.ipv4.tcp_keepalive_time: "600"
    net.ipv4.tcp_keepalive_intvl: "60"
    net.ipv4.tcp_keepalive_probes: "3"
    net.ipv4.tcp_timestamps: "0"

[dperny]

Is there a way to reference or crosslink to the documentation for this option on the container HostConfig?

[thaJeztah]

Hm; good one, perhaps just refer to it in the description 🤔 ("this option accepts the same sysctls as can be specified for containers", or something along those lines 😂)

[thaJeztah]

Can you update the API version history, and add a bullet for this new option? https://github.com/moby/moby/blob/master/docs/api/version-history.md#v139-api-changes

(make sure to mention all of POST /services/create, POST /services/{id}/update, and GET /services/{id})

[dperny]

Ah I always forget the API version history.

[thaJeztah]

missed a closing back tic after Sysctls

[thaJeztah]

👍 Good one; wondering now if creating a service without ContainerSpec is actually a valid request.

Not something to address in this PR, but just wondering that; and if we should validate/error in that situation 🤔

[codecov]

Codecov Report

Merging #37701 into master will increase coverage by 0.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master   #37701      +/-   ##
==========================================
+ Coverage   36.12%   36.14%   +0.01%     
==========================================
  Files         610      610              
  Lines       45083    45086       +3     
==========================================
+ Hits        16288    16297       +9     
+ Misses      26555    26551       -4     
+ Partials     2240     2238       -2

[thaJeztah]

LGTM after the t.Skip() is added for API < 1.39
https://github.com/moby/moby/pull/37701/files#r212267159

of course, depends on the upstream swarmkit PR to be merged

[dperny]

I forgot to add the t.Skip(), so I'll go back and do so when I revendor swarmkit

[dperny]

@thaJeztah updated the swagger.yml description of the Sysctls option in container specs. It should be much more clear. PTAL.

[thaJeztah]

Upstream was merged; can you un-fork the dependency?

[thaJeztah]

OH, can you also add the example to the swagger YAML (see my comment here; #37701 (comment))

[anshulpundir]

Move this to a function and use it here and below.

[dperny]

i disagree, but mostly because i'm unsure what the best signature for that function would be, and considering it's only like 8 lines duplicated, i don't think there's much of a benefit to the refactoring.

[anshulpundir]

every duplicated line of code counts :)
But that's borderline bikeshedding

[wk8]

I would tend to agree with @anshulpundir here (though the question of the fun's signature is indeed interesting!)

Also, I'm a little worried that this file is gonna get littered with version checks really fast if we really want to ensure never adding new features to frozen versions; don't get me wrong, it makes sense, but I'm actually quite surprised there's only one check as of now. There's certainly going to be a lot more if we do all of #25303 . There might be a better way of doing this?

[vdemeester]

just for the sake of it, I tend to agree with @dperny : sometimes a little duplication is better than the wrong abstraction… once we find a correct abstraction for those, we'll refactor 😉

[anshulpundir]

Is this only used in the unit-test?

[dperny]

Yes (well, it's technically an integration test), but a lot of these functions are only used in one test.

[dperny]

Reworded the api/swagger.yaml to more clearly state that the same sysctls as containers are supported, and hopefully clear up @thaJeztah's request for examples.

[wk8]

I don't understand why this is needed?

[wk8]

(to elaborate a bit more: shouldn't this be nil anyway if it's not present in the request?)

[wk8]

Nevermind, https://github.com/moby/moby/pull/37701/files#r212351421 . Makes sense :)

[wk8]

Shouldn't we have a similar test for updates too?

[dperny]

there isn't one for the other things tested here.

[cballou]

The pre-req, docker/swarmkit#2729, was already merged into master 22 days ago.

How close are we to seeing this in nightly? I'm really looking to utilize the addition of sysctls to my docker compose files to run in combination with swarm and docker stack deploy. It's a performance blocker for high IO applications.

[cballou]

@vdemeester Just checking if it's possible to get this in docker-ce 18.9.0 beta. I'm literally in the process of migrating to k8s because they have --allowed-unsafe-sysctls implemented already. It's not feasible to run a production level swarm stack under high throughput without this fixed. Customization at the sysctl level is necessary.

[dperny]

I had an error from not running swagger generation. However, when I ran it, container_wait.go was altered. I do not know if this change is of any impact @thaJeztah.

[dave-receptiviti]

During a load test against one of our containers, we found that hitting the container directly, outside of swarm mode, resulted in 1.8x more throughput than when that container was running as one service instance in a one node Swarm.

Like @dperny and @cballou, we are really looking forward to having performance fixes / sysctl options expedited

[thaJeztah]

LGTM

ping @vdemeester @anshulpundir PTAL

[vdemeester]

LGTM 🐯

[vdemeester]

just for the sake of it, I tend to agree with @dperny : sometimes a little duplication is better than the wrong abstraction… once we find a correct abstraction for those, we'll refactor 😉

[marzlarz]

So are we finally able to set "sysctl" options for Docker services or is this just the underlying updates required to eventually expose this to the CLI ?

[cballou]

So I see that the API version was changed from 1.3.9 to 1.4.0. Is there a tentative release of that schedule in the near future? The documentation currently points to a non-existent page of the version:

https://docs.docker.com/engine/api/v1.40/

[thaJeztah]

@cballou API v1.40 is not finalised yet (as in; changes will still arrive). That version will be included in the next Docker release (after Docker 18.09, which has API v1.39)