diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index 92a41383de..ba37eb1842 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -21,7 +21,6 @@ import ( "crypto/tls" "errors" "fmt" - "io/ioutil" "math/rand" "net" "net/http" @@ -30,7 +29,6 @@ import ( "os" "path" "strconv" - "strings" "time" "github.com/golang/glog" @@ -824,42 +822,6 @@ func RunKubelet(kubeFlags *options.KubeletFlags, kubeCfg *componentconfig.Kubele rlimit.RlimitNumFiles(uint64(kubeCfg.MaxOpenFiles)) - // TODO(dawnchen): remove this once we deprecated old debian containervm images. - // This is a workaround for issue: https://github.com/opencontainers/runc/issues/726 - // The current chosen number is consistent with most of other os dist. - const maxKeysPath = "/proc/sys/kernel/keys/root_maxkeys" - const minKeys uint64 = 1000000 - key, err := ioutil.ReadFile(maxKeysPath) - if err != nil { - glog.Errorf("Cannot read keys quota in %s", maxKeysPath) - } else { - fields := strings.Fields(string(key)) - nKey, _ := strconv.ParseUint(fields[0], 10, 64) - if nKey < minKeys { - glog.Infof("Setting keys quota in %s to %d", maxKeysPath, minKeys) - err = ioutil.WriteFile(maxKeysPath, []byte(fmt.Sprintf("%d", uint64(minKeys))), 0644) - if err != nil { - glog.Warningf("Failed to update %s: %v", maxKeysPath, err) - } - } - } - const maxBytesPath = "/proc/sys/kernel/keys/root_maxbytes" - const minBytes uint64 = 25000000 - bytes, err := ioutil.ReadFile(maxBytesPath) - if err != nil { - glog.Errorf("Cannot read keys bytes in %s", maxBytesPath) - } else { - fields := strings.Fields(string(bytes)) - nByte, _ := strconv.ParseUint(fields[0], 10, 64) - if nByte < minBytes { - glog.Infof("Setting keys bytes in %s to %d", maxBytesPath, minBytes) - err = ioutil.WriteFile(maxBytesPath, []byte(fmt.Sprintf("%d", uint64(minBytes))), 0644) - if err != nil { - glog.Warningf("Failed to update %s: %v", maxBytesPath, err) - } - } - } - // process pods and exit. if runOnce { if _, err := k.RunOnce(podCfg.Updates()); err != nil { diff --git a/pkg/kubelet/cm/container_manager_linux.go b/pkg/kubelet/cm/container_manager_linux.go index 52f9f32fc0..062e536fa7 100644 --- a/pkg/kubelet/cm/container_manager_linux.go +++ b/pkg/kubelet/cm/container_manager_linux.go @@ -312,6 +312,8 @@ func setupKernelTunables(option KernelTunableBehavior) error { utilsysctl.VmPanicOnOOM: utilsysctl.VmPanicOnOOMInvokeOOMKiller, utilsysctl.KernelPanic: utilsysctl.KernelPanicRebootTimeout, utilsysctl.KernelPanicOnOops: utilsysctl.KernelPanicOnOopsAlways, + utilsysctl.RootMaxKeys: utilsysctl.RootMaxKeysSetting, + utilsysctl.RootMaxBytes: utilsysctl.RootMaxBytesSetting, } sysctl := utilsysctl.New() diff --git a/pkg/util/sysctl/sysctl.go b/pkg/util/sysctl/sysctl.go index e58b99d301..5c01dd88e7 100644 --- a/pkg/util/sysctl/sysctl.go +++ b/pkg/util/sysctl/sysctl.go @@ -29,12 +29,17 @@ const ( VmPanicOnOOM = "vm/panic_on_oom" KernelPanic = "kernel/panic" KernelPanicOnOops = "kernel/panic_on_oops" + RootMaxKeys = "kernel/keys/root_maxkeys" + RootMaxBytes = "kernel/keys/root_maxbytes" VmOvercommitMemoryAlways = 1 // kernel performs no memory over-commit handling VmPanicOnOOMInvokeOOMKiller = 0 // kernel calls the oom_killer function when OOM occurs KernelPanicOnOopsAlways = 1 // kernel panics on kernel oops KernelPanicRebootTimeout = 10 // seconds after a panic for the kernel to reboot + + RootMaxKeysSetting = 1000000 // Needed since docker creates a new key per container + RootMaxBytesSetting = RootMaxKeysSetting * 25 // allocate 25 bytes per key * number of MaxKeys ) // An injectable interface for running sysctl commands.