Description of problem: When set unsafe sysctl value for container, it can create pod successfully, then check the value in container, the value can't take effect Version-Release number of selected component (if applicable): fork_ami_openshift3_clusterinfra_public_178_299 How reproducible: Always Steps to Reproduce: 1.Configure node to enable unsafe sysctls kubeletArguments: experimental-allowed-unsafe-sysctls: - 'kernel.shm*,kernel.msg*,kernel.sem,fs.mqueue.*,net.*' 2.Create a pod with safe sysctls value. [root@dhcp-128-7 dma]# oc create -f https://raw.githubusercontent.com/mdshuai/testfile-openshift/master/sysctls/pod-sysctl-unsafe.yaml pod "hello-pod" created [root@dhcp-128-7 dma]# oc get pod NAME READY STATUS RESTARTS AGE hello-pod 1/1 Running 0 6s 3.Check the unsafe value in container [root@dhcp-128-7 dma]# oc exec hello-pod -- cat /proc/sys/net/ipv4/ip_forward 1 Actual results: 3.net.ipv4.ip_forward=1 Expected results: 3.net.ipv4.ip_forward=0 Additional info: All othe unsafe sysctls can't take effect too, "net.ipv4.ip_forward" just a example.
This is a cherry-pick error. One hunk in docker_manager.go was skipped. Thanks for spotting this. It's already fixed in the cherry-pick PR https://github.com/openshift/origin/pull/10559. I will create another ami fork after CI tests are green. This is a bit hard to e2e test right now because we need special kubelet flags.
Test on new AMI fork_ami_openshift3_clusterinfra_public_178_300 unsafe sysctls can take effect. [root@ip-172-18-0-194 ~]# oc get pod|grep hello-pod hello-pod 1/1 Running 0 3m [root@ip-172-18-0-194 ~]# oc exec hello-pod -- cat /proc/sys/net/ipv4/ip_forward 0
Seems to be fixed. So we can close this issue?
you can set ON_QA, Then I verify this bug. thanks
verify this bug on fork_ami_openshift3_clusterinfra_public_178_300
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1425