Bug 1372657 - [infrastructure_public_178]Set unsafe sysctl value for container doesn't take effect
Summary: [infrastructure_public_178]Set unsafe sysctl value for container doesn't take...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node
Version: 3.3.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.3.1
Assignee: Stefan Schimanski
QA Contact: DeShuai Ma
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-02 09:54 UTC by DeShuai Ma
Modified: 2017-06-15 18:36 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
Environment:
Last Closed: 2017-06-15 18:36:18 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1425 0 normal SHIPPED_LIVE OpenShift Container Platform 3.5, 3.4, 3.3, and 3.2 bug fix update 2017-06-15 22:35:53 UTC

Description DeShuai Ma 2016-09-02 09:54:56 UTC 
Description of problem:
When set unsafe sysctl value for container, it can create pod successfully, then check the value in container, the value can't take effect

Version-Release number of selected component (if applicable):
fork_ami_openshift3_clusterinfra_public_178_299

How reproducible:
Always

Steps to Reproduce:
1.Configure node to enable unsafe sysctls
kubeletArguments:
  experimental-allowed-unsafe-sysctls:
  - 'kernel.shm*,kernel.msg*,kernel.sem,fs.mqueue.*,net.*'

2.Create a pod with safe sysctls value.
[root@dhcp-128-7 dma]# oc create -f https://raw.githubusercontent.com/mdshuai/testfile-openshift/master/sysctls/pod-sysctl-unsafe.yaml
pod "hello-pod" created
[root@dhcp-128-7 dma]# oc get pod
NAME        READY     STATUS    RESTARTS   AGE
hello-pod   1/1       Running   0          6s

3.Check the unsafe value in container
[root@dhcp-128-7 dma]# oc exec hello-pod -- cat /proc/sys/net/ipv4/ip_forward
1

Actual results:
3.net.ipv4.ip_forward=1

Expected results:
3.net.ipv4.ip_forward=0


Additional info:
All othe unsafe sysctls can't take effect too, "net.ipv4.ip_forward" just a example.
Comment 1 Stefan Schimanski 2016-09-05 09:12:45 UTC 
This is a cherry-pick error. One hunk in docker_manager.go was skipped. Thanks for spotting this. It's already fixed in the cherry-pick PR https://github.com/openshift/origin/pull/10559.

I will create another ami fork after CI tests are green.

This is a bit hard to e2e test right now because we need special kubelet flags.
Comment 2 DeShuai Ma 2016-09-06 02:22:11 UTC 
Test on new AMI fork_ami_openshift3_clusterinfra_public_178_300
unsafe sysctls can take effect.

[root@ip-172-18-0-194 ~]# oc get pod|grep hello-pod
hello-pod                 1/1       Running   0          3m
[root@ip-172-18-0-194 ~]# oc exec hello-pod -- cat /proc/sys/net/ipv4/ip_forward
0
Comment 3 Stefan Schimanski 2016-09-06 07:55:09 UTC 
Seems to be fixed. So we can close this issue?
Comment 4 DeShuai Ma 2016-09-06 08:35:02 UTC 
you can set ON_QA, Then I verify this bug. thanks
Comment 5 DeShuai Ma 2016-09-06 08:46:30 UTC 
verify this bug on fork_ami_openshift3_clusterinfra_public_178_300
Comment 7 errata-xmlrpc 2017-06-15 18:36:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1425
Note You need to log in before you can comment on or make changes to this bug.