Bug 1372657

Summary: [infrastructure_public_178]Set unsafe sysctl value for container doesn't take effect
Product: OpenShift Container Platform Reporter: DeShuai Ma <dma>
Component: NodeAssignee: Stefan Schimanski <sttts>
Status: CLOSED ERRATA QA Contact: DeShuai Ma <dma>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.3.1CC: aos-bugs, jokerman, mmccomas, wmeng
Target Milestone: ---Keywords: Reopened
Target Release: 3.3.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-15 18:36:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description DeShuai Ma 2016-09-02 09:54:56 UTC 
Description of problem:
When set unsafe sysctl value for container, it can create pod successfully, then check the value in container, the value can't take effect

Version-Release number of selected component (if applicable):
fork_ami_openshift3_clusterinfra_public_178_299

How reproducible:
Always

Steps to Reproduce:
1.Configure node to enable unsafe sysctls
kubeletArguments:
  experimental-allowed-unsafe-sysctls:
  - 'kernel.shm*,kernel.msg*,kernel.sem,fs.mqueue.*,net.*'

2.Create a pod with safe sysctls value.
[root@dhcp-128-7 dma]# oc create -f https://raw.githubusercontent.com/mdshuai/testfile-openshift/master/sysctls/pod-sysctl-unsafe.yaml
pod "hello-pod" created
[root@dhcp-128-7 dma]# oc get pod
NAME        READY     STATUS    RESTARTS   AGE
hello-pod   1/1       Running   0          6s

3.Check the unsafe value in container
[root@dhcp-128-7 dma]# oc exec hello-pod -- cat /proc/sys/net/ipv4/ip_forward
1

Actual results:
3.net.ipv4.ip_forward=1

Expected results:
3.net.ipv4.ip_forward=0


Additional info:
All othe unsafe sysctls can't take effect too, "net.ipv4.ip_forward" just a example.
Comment 1 Stefan Schimanski 2016-09-05 09:12:45 UTC 
This is a cherry-pick error. One hunk in docker_manager.go was skipped. Thanks for spotting this. It's already fixed in the cherry-pick PR https://github.com/openshift/origin/pull/10559.

I will create another ami fork after CI tests are green.

This is a bit hard to e2e test right now because we need special kubelet flags.
Comment 2 DeShuai Ma 2016-09-06 02:22:11 UTC 
Test on new AMI fork_ami_openshift3_clusterinfra_public_178_300
unsafe sysctls can take effect.

[root@ip-172-18-0-194 ~]# oc get pod|grep hello-pod
hello-pod                 1/1       Running   0          3m
[root@ip-172-18-0-194 ~]# oc exec hello-pod -- cat /proc/sys/net/ipv4/ip_forward
0
Comment 3 Stefan Schimanski 2016-09-06 07:55:09 UTC 
Seems to be fixed. So we can close this issue?
Comment 4 DeShuai Ma 2016-09-06 08:35:02 UTC 
you can set ON_QA, Then I verify this bug. thanks
Comment 5 DeShuai Ma 2016-09-06 08:46:30 UTC 
verify this bug on fork_ami_openshift3_clusterinfra_public_178_300
Comment 7 errata-xmlrpc 2017-06-15 18:36:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1425