mirror of https://github.com/k3s-io/k3s
Add sysctls for dockershim
Pengfei Ni
parent
b1b8e9e403
commit
fee6daaa8d
|
|
@ -122,6 +122,13 @@ func (ds *dockerService) CreateContainer(podSandboxID string, config *runtimeApi
|
|||
Privileged: config.GetPrivileged(),
|
||||
}
|
||||
|
||||
// Set sysctls if requested
|
||||
sysctls, err := getSysctlsFromAnnotations(config.Annotations)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to get sysctls from annotations %v for container %q: %v", config.Annotations, config.Metadata.GetName(), err)
|
||||
}
|
||||
hc.Sysctls = sysctls
|
||||
|
||||
// Apply options derived from the sandbox config.
|
||||
if lc := sandboxConfig.GetLinux(); lc != nil {
|
||||
// Apply Cgroup options.
|
||||
|
|
@ -166,7 +173,6 @@ func (ds *dockerService) CreateContainer(podSandboxID string, config *runtimeApi
|
|||
// Note: ShmSize is handled in kube_docker_client.go
|
||||
}
|
||||
|
||||
var err error
|
||||
hc.SecurityOpt, err = getContainerSecurityOpts(config.Metadata.GetName(), sandboxConfig, ds.seccompProfileRoot)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to generate container security options for container %q: %v", config.Metadata.GetName(), err)
|
||||
|
|
|
|||
|
|
@ -224,6 +224,13 @@ func (ds *dockerService) makeSandboxDockerConfig(c *runtimeApi.PodSandboxConfig,
|
|||
HostConfig: hc,
|
||||
}
|
||||
|
||||
// Set sysctls if requested
|
||||
sysctls, err := getSysctlsFromAnnotations(c.Annotations)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to get sysctls from annotations %v for sandbox %q: %v", c.Annotations, c.Metadata.GetName(), err)
|
||||
}
|
||||
hc.Sysctls = sysctls
|
||||
|
||||
// Apply linux-specific options.
|
||||
if lc := c.GetLinux(); lc != nil {
|
||||
// Apply Cgroup options.
|
||||
|
|
@ -265,7 +272,6 @@ func (ds *dockerService) makeSandboxDockerConfig(c *runtimeApi.PodSandboxConfig,
|
|||
setSandboxResources(hc)
|
||||
|
||||
// Set security options.
|
||||
var err error
|
||||
hc.SecurityOpt, err = getSandboxSecurityOpts(c, ds.seccompProfileRoot)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to generate sandbox security options for sandbox %q: %v", c.Metadata.GetName(), err)
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ import (
|
|||
dockernat "github.com/docker/go-connections/nat"
|
||||
"github.com/golang/glog"
|
||||
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
runtimeApi "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
|
||||
"k8s.io/kubernetes/pkg/kubelet/dockertools"
|
||||
"k8s.io/kubernetes/pkg/kubelet/types"
|
||||
|
|
@ -216,6 +217,27 @@ func getNetworkNamespace(c *dockertypes.ContainerJSON) string {
|
|||
return fmt.Sprintf(dockerNetNSFmt, c.State.Pid)
|
||||
}
|
||||
|
||||
// getSysctlsFromAnnotations gets sysctls from annotations.
|
||||
func getSysctlsFromAnnotations(annotations map[string]string) (map[string]string, error) {
|
||||
var results map[string]string
|
||||
|
||||
sysctls, unsafeSysctls, err := api.SysctlsFromPodAnnotations(annotations)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if len(sysctls)+len(unsafeSysctls) > 0 {
|
||||
results = make(map[string]string, len(sysctls)+len(unsafeSysctls))
|
||||
for _, c := range sysctls {
|
||||
results[c.Name] = c.Value
|
||||
}
|
||||
for _, c := range unsafeSysctls {
|
||||
results[c.Name] = c.Value
|
||||
}
|
||||
}
|
||||
|
||||
return results, nil
|
||||
}
|
||||
|
||||
// dockerFilter wraps around dockerfilters.Args and provides methods to modify
|
||||
// the filter easily.
|
||||
type dockerFilter struct {
|
||||
|
|
|
|||
|
|
@ -147,3 +147,43 @@ func TestGetSandboxSecurityOpts(t *testing.T) {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
// TestGetSystclsFromAnnotations tests the logic of getting sysctls from annotations.
|
||||
func TestGetSystclsFromAnnotations(t *testing.T) {
|
||||
tests := []struct {
|
||||
annotations map[string]string
|
||||
expectedSysctls map[string]string
|
||||
}{{
|
||||
annotations: map[string]string{
|
||||
api.SysctlsPodAnnotationKey: "kernel.shmmni=32768,kernel.shmmax=1000000000",
|
||||
api.UnsafeSysctlsPodAnnotationKey: "knet.ipv4.route.min_pmtu=1000",
|
||||
},
|
||||
expectedSysctls: map[string]string{
|
||||
"kernel.shmmni": "32768",
|
||||
"kernel.shmmax": "1000000000",
|
||||
"knet.ipv4.route.min_pmtu": "1000",
|
||||
},
|
||||
}, {
|
||||
annotations: map[string]string{
|
||||
api.SysctlsPodAnnotationKey: "kernel.shmmni=32768,kernel.shmmax=1000000000",
|
||||
},
|
||||
expectedSysctls: map[string]string{
|
||||
"kernel.shmmni": "32768",
|
||||
"kernel.shmmax": "1000000000",
|
||||
},
|
||||
}, {
|
||||
annotations: map[string]string{
|
||||
api.UnsafeSysctlsPodAnnotationKey: "knet.ipv4.route.min_pmtu=1000",
|
||||
},
|
||||
expectedSysctls: map[string]string{
|
||||
"knet.ipv4.route.min_pmtu": "1000",
|
||||
},
|
||||
}}
|
||||
|
||||
for i, test := range tests {
|
||||
actual, err := getSysctlsFromAnnotations(test.annotations)
|
||||
assert.NoError(t, err, "TestCase[%d]", i)
|
||||
assert.Len(t, actual, len(test.expectedSysctls), "TestCase[%d]", i)
|
||||
assert.Equal(t, test.expectedSysctls, actual, "TestCase[%d]", i)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue