Add default_systcls option to crio.conf #1721
Conversation
|
@rhatdan PTAL. For now the default sysctl is |
|
@umohnani8 You will have to restrict it to /proc/1/gid_map values on the extreme else sysctl will fail. |
lib/config.go
Outdated
|
|
||
| // DefaultSysctls for the default-sysctls option in the crio.conf file | ||
| var DefaultSysctls = []string{ | ||
| "net.ipv4.ping_group_range=0 0", |
There was a problem hiding this comment.
We cannot hard code this. For user namespaces, the gid_map could be different so will have to populate the range and validate it against user ns group mappings.
There was a problem hiding this comment.
I guess we need to see if these are relative to the USERNS. IE Does this happen in runc after the USERNS is setup, then it should work.
There was a problem hiding this comment.
it should happen from inside the container once the user namespace is configured. Some sysctl are not allowed from a namespace and the OCI runtime will fail to set these, but I don't think this PR has to worry of it.
|
Why do you think we need to check against GIDMAP? If the sysctl is executed within the userns which it must be then the only issue might be if 0 was not mapped? I guess we could attempt to set that up and see if it fails. @giuseppe PTAL |
5de0ca1 to
037a50f
Compare
|
@mrunalp the tests that ping a pod from another pod should be testing this change automatically - https://github.com/kubernetes-incubator/cri-o/blob/master/test/network.bats#L103. |
e985e5e to
25b669b
Compare
|
/test all |
|
/test critest_rhel |
|
/test integration_rhel |
|
/test kata-containers |
|
/test all |
736c8aa to
32fa9e7
Compare
|
/test all |
eca1b8f to
f89f82e
Compare
|
/test all |
|
/test integration_rhel |
|
We can skip the test for RHEL 7 by checking for the setting on the host. |
|
/test all |
be35082 to
d243d65
Compare
|
/test all |
6a1d44a to
130d02e
Compare
|
/test all |
|
Just debugged this with @umohnani8. This sysctl isn't available when using a user namespace on RHEL. We should use some other sysctl for testing such as |
73d80b4 to
58b0316
Compare
|
/test all |
|
Tests are green! @mrunalp PTAL |
server/sandbox_run_linux.go
Outdated
|
|
||
| // Add default sysctls given in crio.conf | ||
| for _, defaultSysctl := range s.config.DefaultSysctls { | ||
| split := strings.Split(defaultSysctl, "=") |
There was a problem hiding this comment.
Should this be a SplitN(defaultSysctl, "=",2)
TO make sure the sysctl does not include a "=", I know it is doubtful, but...
server/sandbox_run_linux.go
Outdated
| split := strings.Split(defaultSysctl, "=") | ||
| if len(split) == 2 { | ||
| if err := validateSysctl(split[0], hostNetwork, hostIPC); err != nil { | ||
| logrus.Warnf("%v - skipping...", err) |
There was a problem hiding this comment.
skipping %s ..., err, defaultSysctl
Should this be an error and refuse to start the container?
There was a problem hiding this comment.
I was thinking why error out completely when it is just possible that the user made a typo or something in the sysctls they have enabled. Made more sense to log it and just continue to create the error.
If you think it is better to fail completely I can change it.
There was a problem hiding this comment.
Well we at lease need more info on which sysctl failed.
Users can add default sysctls that they want all cri-o containers to have in the crio.conf file now. Adding net.ipv4.ping_group_range as a default so we can drop the NET_RAW capability. Signed-off-by: umohnani8 <umohnani@redhat.com>
We extract the sysctls from k8s so we don't need to extract it in cri-o separately. Had a TODO from a while back to remove it, so removing. Signed-off-by: umohnani8 <umohnani@redhat.com>
|
/test all |
|
LGTM |
|
@mrunalp this is ready to merge :) |
Users can add default sysctls that they want all cri-o containers
to have in the crio.conf file now.
Adding net.ipv4.ping_group_range as a default so we can drop the
NET_RAW capability.
Remove sysctl parsing code from cri-o as we extract the sysctls from k8s directly.
Had a TODO from a while back to remove it, so removing.
Drop the NET_RAW capability from the list of cri-o defaults
as we are using the sysctl net.ipv4.ping_group_range instead
to allow users to do a ping.
Signed-off-by: umohnani8 umohnani@redhat.com