feat: Added net.ipv4.tcp_rmem and net.ipv4.tcp_wmem into safe sysctl list #125270
Conversation
…list kubernetes#125234 Signed-off-by: nikzayn <nikhilvaidyar1997@gmail.com>
|
Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
kind/feature
k8s-ci-robot
added
sig/node
|
Hi @nikzayn. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
pkg/kubelet/sysctl/safe_sysctls.go
Outdated
| @@ -60,6 +60,12 @@ var safeSysctls = []sysctl{ | |||
| name: "net.ipv4.tcp_keepalive_probes", | |||
| kernel: utilkernel.TCPKeepAliveProbesNamespacedKernelVersion, | |||
| }, | |||
| { | |||
| name: "net.ipv4.tcp_rmem", | |||
There was a problem hiding this comment.
I believe these sysctls are supported starting from kernel 4.15. Can you add a constant to utilkernel and set the kernel property here, like the other entries above? Thanks.
There was a problem hiding this comment.
utilkernel will look something like this
// TCPReceiveMemoryNamespacedKernelVersion is the kernel version in which net.ipv4.tcp_rmem was namespaced(netns).
// (ref: https://github.com/torvalds/linux/commit/356d1833b638bd465672aefeb71def3ab93fc17d)
const TCPReceiveMemoryNamespacedKernelVersion = "4.15"
// TCPTransmitMemoryNamespacedKernelVersion is the kernel version in which net.ipv4.tcp_wmem was namespaced(netns).
// (ref: https://github.com/torvalds/linux/commit/356d1833b638bd465672aefeb71def3ab93fc17d)
const TCPTransmitMemoryNamespacedKernelVersion = "4.15"
There was a problem hiding this comment.
Sure, I will add it. I know that we need to add it just wanted to be confirmed. Thanks!
|
Perhaps this also requires changes in |
Thanks, I will take a look and possibly make the changes accordingly. Thanks for reviewing. |
…ernetes#125234 Signed-off-by: nikzayn <nikhilvaidyar1997@gmail.com>
k8s-ci-robot
added
size/L
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: nikzayn The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
added
do-not-merge/contains-merge-commits
|
Adding label Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
| @@ -118,6 +124,10 @@ func sysctlsV1Dot29(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) Che | |||
| return sysctls(podMetadata, podSpec, sysctlsAllowedV1Dot29) | |||
| } | |||
|
|
|||
| func sysctlsV1Dot30(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { | |||
There was a problem hiding this comment.
I'm not 100% sure this is correct/needed, I'd like a more experienced reviewer to confirm it.
There was a problem hiding this comment.
Yeah, let's wait for an experienced member. Even I also have doubt for the same.
| }, | ||
| } | ||
| registerFixtureGenerator( | ||
| fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 29), check: "sysctls"}, |
There was a problem hiding this comment.
Given that you are using the V1Dot30 suffix this should be 1, 30
There was a problem hiding this comment.
Oh okay, thanks my bad!!. Fixing it right away
Signed-off-by: nikzayn <nikhilvaidyar1997@gmail.com>
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
/assign @enj |
|
/triage accepted |
k8s-ci-robot
added
triage/accepted
|
/sig network |
k8s-ci-robot
added
the
sig/network
|
This seems fine to me, but I don't know this code path, so I really want someone on sig-node to own the approval. @pacoxu ? |
| @@ -104,6 +106,10 @@ var ( | |||
| "net.ipv4.tcp_keepalive_intvl", | |||
| "net.ipv4.tcp_keepalive_probes", | |||
| ) | |||
| sysctlsAllowedV1Dot30 = sets.NewString( | |||
There was a problem hiding this comment.
| sysctlsAllowedV1Dot30 = sets.NewString( | |
| sysctlsAllowedV1Dot31 = sets.NewString( |
| func sysctlsV1Dot30(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { | ||
| return sysctls(podMetadata, podSpec, sysctlsAllowedV1Dot30) |
There was a problem hiding this comment.
| func sysctlsV1Dot30(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { | |
| return sysctls(podMetadata, podSpec, sysctlsAllowedV1Dot30) | |
| func sysctlsV1Dot31(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { | |
| return sysctls(podMetadata, podSpec, sysctlsAllowedV1Dot31) |
|
|
||
| for _, tc := range tests { | ||
| t.Run(tc.name, func(t *testing.T) { | ||
| result := sysctlsV1Dot30(&tc.pod.ObjectMeta, &tc.pod.Spec) |
There was a problem hiding this comment.
| result := sysctlsV1Dot30(&tc.pod.ObjectMeta, &tc.pod.Spec) | |
| result := sysctlsV1Dot31(&tc.pod.ObjectMeta, &tc.pod.Spec) |
| @@ -156,4 +156,39 @@ func init() { | |||
| fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 29), check: "sysctls"}, | |||
| fixtureDataV1Dot29, | |||
| ) | |||
|
|
|||
| fixtureDataV1Dot30 := fixtureGenerator{ | |||
There was a problem hiding this comment.
| fixtureDataV1Dot30 := fixtureGenerator{ | |
| fixtureDataV1Dot31 := fixtureGenerator{ |
Update other references accordingly.
| }, | ||
| } | ||
| registerFixtureGenerator( | ||
| fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 30), check: "sysctls"}, |
There was a problem hiding this comment.
| fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 30), check: "sysctls"}, | |
| fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 31), check: "sysctls"}, |
|
Thanks for working on this! |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
Is this PR abandoned? Does it need someone to take it over? |
k8s-ci-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
#127489 is based on @nikzayn's commits here and was merged today.
/close |
|
@pacoxu: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR adds the net.ipv4.tcp_rmem and net.ipv4.tcp_wmem into safe sysctl list because to handle thousands of concurrent connections used by Cassandra, DataStax recommends these settings to optimize the Linux network stack.
Which issue(s) this PR fixes:
#125234
Fixes #125234
Special notes for your reviewer:
I have updated the test cases and it's running fine. Meanwhile, you can check and comment on this PR to suggest some other changes which I might need to update. One callout, I think that I also need to update the CheckSysctls function to support checks for the allowed sysctl list.
Does this PR introduce a user-facing change?
NONE