Merge pull request #43005 from cmluciano/cml/consolidatesysctl

Automatic merge from submit-queue (batch tested with PRs 43005, 46660, 46385, 46991, 47103) Consolidate sysctl commands for kubelet **What this PR does / why we need it**: These commands are important enough to be in the Kubelet itself. By default, Ubuntu 14.04 and Debian Jessie have these set to 200 and 20000. Without this setting, nodes are limited in the number of containers that they can start. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #26005 **Special notes for your reviewer**: I had a difficult time writing tests for this. It is trivial to create a fake sysctl for testing, but the Kubelet does not have any tests for the prior settings. **Release note**: ```release-note ```
2017-06-07 13:30:54 -07:00 · 2017-06-07 13:30:54 -07:00 · 69342bd1df
parent 783b940c30 bafabcbb44
commit 69342bd1df
3 changed files with 7 additions and 38 deletions
--- a/cmd/kubelet/app/server.go
+++ b/cmd/kubelet/app/server.go
@ -23,7 +23,6 @@ import (
 	"crypto/x509/pkix"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"math/rand"
 	"net"
 	"net/http"
@ -32,7 +31,6 @@ import (
 	"os"
 	"path"
 	"strconv"
-	"strings"
 	"time"

 	"github.com/golang/glog"
@ -934,42 +932,6 @@ func RunKubelet(kubeFlags *options.KubeletFlags, kubeCfg *componentconfig.Kubele

 	rlimit.RlimitNumFiles(uint64(kubeCfg.MaxOpenFiles))

-	// TODO(dawnchen): remove this once we deprecated old debian containervm images.
-	// This is a workaround for issue: https://github.com/opencontainers/runc/issues/726
-	// The current chosen number is consistent with most of other os dist.
-	const maxKeysPath = "/proc/sys/kernel/keys/root_maxkeys"
-	const minKeys uint64 = 1000000
-	key, err := ioutil.ReadFile(maxKeysPath)
-	if err != nil {
-		glog.Errorf("Cannot read keys quota in %s", maxKeysPath)
-	} else {
-		fields := strings.Fields(string(key))
-		nKey, _ := strconv.ParseUint(fields[0], 10, 64)
-		if nKey < minKeys {
-			glog.Infof("Setting keys quota in %s to %d", maxKeysPath, minKeys)
-			err = ioutil.WriteFile(maxKeysPath, []byte(fmt.Sprintf("%d", uint64(minKeys))), 0644)
-			if err != nil {
-				glog.Warningf("Failed to update %s: %v", maxKeysPath, err)
-			}
-		}
-	}
-	const maxBytesPath = "/proc/sys/kernel/keys/root_maxbytes"
-	const minBytes uint64 = 25000000
-	bytes, err := ioutil.ReadFile(maxBytesPath)
-	if err != nil {
-		glog.Errorf("Cannot read keys bytes in %s", maxBytesPath)
-	} else {
-		fields := strings.Fields(string(bytes))
-		nByte, _ := strconv.ParseUint(fields[0], 10, 64)
-		if nByte < minBytes {
-			glog.Infof("Setting keys bytes in %s to %d", maxBytesPath, minBytes)
-			err = ioutil.WriteFile(maxBytesPath, []byte(fmt.Sprintf("%d", uint64(minBytes))), 0644)
-			if err != nil {
-				glog.Warningf("Failed to update %s: %v", maxBytesPath, err)
-			}
-		}
-	}
-
 	// process pods and exit.
 	if runOnce {
 		if _, err := k.RunOnce(podCfg.Updates()); err != nil {
--- a/pkg/kubelet/cm/container_manager_linux.go
+++ b/pkg/kubelet/cm/container_manager_linux.go
@ -312,6 +312,8 @@ func setupKernelTunables(option KernelTunableBehavior) error {
 		utilsysctl.VmPanicOnOOM:       utilsysctl.VmPanicOnOOMInvokeOOMKiller,
 		utilsysctl.KernelPanic:        utilsysctl.KernelPanicRebootTimeout,
 		utilsysctl.KernelPanicOnOops:  utilsysctl.KernelPanicOnOopsAlways,
+		utilsysctl.RootMaxKeys:        utilsysctl.RootMaxKeysSetting,
+		utilsysctl.RootMaxBytes:       utilsysctl.RootMaxBytesSetting,
 	}

 	sysctl := utilsysctl.New()
--- a/pkg/util/sysctl/sysctl.go
+++ b/pkg/util/sysctl/sysctl.go
@ -29,12 +29,17 @@ const (
 	VmPanicOnOOM       = "vm/panic_on_oom"
 	KernelPanic        = "kernel/panic"
 	KernelPanicOnOops  = "kernel/panic_on_oops"
+	RootMaxKeys        = "kernel/keys/root_maxkeys"
+	RootMaxBytes       = "kernel/keys/root_maxbytes"

 	VmOvercommitMemoryAlways    = 1 // kernel performs no memory over-commit handling
 	VmPanicOnOOMInvokeOOMKiller = 0 // kernel calls the oom_killer function when OOM occurs

 	KernelPanicOnOopsAlways  = 1  // kernel panics on kernel oops
 	KernelPanicRebootTimeout = 10 // seconds after a panic for the kernel to reboot
+
+	RootMaxKeysSetting  = 1000000                 // Needed since docker creates a new key per container
+	RootMaxBytesSetting = RootMaxKeysSetting * 25 // allocate 25 bytes per key * number of MaxKeys
 )

 // An injectable interface for running sysctl commands.