1372657 – [infrastructure_public_178]Set unsafe sysctl value for container doesn't take effect

Bug 1372657 - [infrastructure_public_178]Set unsafe sysctl value for container doesn't take effect

Summary: [infrastructure_public_178]Set unsafe sysctl value for container doesn't take...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Node
Sub Component:
Version:	3.3.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	3.3.1
Assignee:	Stefan Schimanski
QA Contact:	DeShuai Ma
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-02 09:54 UTC by DeShuai Ma
Modified:	2017-06-15 18:36 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:	undefined
Clone Of:
Environment:
Last Closed:	2017-06-15 18:36:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:1425	0	normal	SHIPPED_LIVE	OpenShift Container Platform 3.5, 3.4, 3.3, and 3.2 bug fix update	2017-06-15 22:35:53 UTC

Description DeShuai Ma 2016-09-02 09:54:56 UTC

Description of problem:
When set unsafe sysctl value for container, it can create pod successfully, then check the value in container, the value can't take effect

Version-Release number of selected component (if applicable):
fork_ami_openshift3_clusterinfra_public_178_299

How reproducible:
Always

Steps to Reproduce:
1.Configure node to enable unsafe sysctls
kubeletArguments:
  experimental-allowed-unsafe-sysctls:
  - 'kernel.shm*,kernel.msg*,kernel.sem,fs.mqueue.*,net.*'

2.Create a pod with safe sysctls value.
[root@dhcp-128-7 dma]# oc create -f https://raw.githubusercontent.com/mdshuai/testfile-openshift/master/sysctls/pod-sysctl-unsafe.yaml
pod "hello-pod" created
[root@dhcp-128-7 dma]# oc get pod
NAME        READY     STATUS    RESTARTS   AGE
hello-pod   1/1       Running   0          6s

3.Check the unsafe value in container
[root@dhcp-128-7 dma]# oc exec hello-pod -- cat /proc/sys/net/ipv4/ip_forward
1

Actual results:
3.net.ipv4.ip_forward=1

Expected results:
3.net.ipv4.ip_forward=0


Additional info:
All othe unsafe sysctls can't take effect too, "net.ipv4.ip_forward" just a example.

Comment 1 Stefan Schimanski 2016-09-05 09:12:45 UTC

This is a cherry-pick error. One hunk in docker_manager.go was skipped. Thanks for spotting this. It's already fixed in the cherry-pick PR https://github.com/openshift/origin/pull/10559.

I will create another ami fork after CI tests are green.

This is a bit hard to e2e test right now because we need special kubelet flags.

Comment 2 DeShuai Ma 2016-09-06 02:22:11 UTC

Test on new AMI fork_ami_openshift3_clusterinfra_public_178_300
unsafe sysctls can take effect.

[root@ip-172-18-0-194 ~]# oc get pod|grep hello-pod
hello-pod                 1/1       Running   0          3m
[root@ip-172-18-0-194 ~]# oc exec hello-pod -- cat /proc/sys/net/ipv4/ip_forward
0

Comment 3 Stefan Schimanski 2016-09-06 07:55:09 UTC

Seems to be fixed. So we can close this issue?

Comment 4 DeShuai Ma 2016-09-06 08:35:02 UTC

you can set ON_QA, Then I verify this bug. thanks

Comment 5 DeShuai Ma 2016-09-06 08:46:30 UTC

verify this bug on fork_ami_openshift3_clusterinfra_public_178_300

Comment 7 errata-xmlrpc 2017-06-15 18:36:18 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1425

Note You need to log in before you can comment on or make changes to this bug.