Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1754403

Summary: [DOC] Missing information on how to enable unsafe sysctls
Product: OpenShift Container Platform Reporter: Christian Koep <ckoep>
Component: DocumentationAssignee: Kevin Lamenzo <klamenzo>
Status: CLOSED DUPLICATE QA Contact: MinLi <minmli>
Severity: low Docs Contact: Vikram Goyal <vigoyal>
Priority: low    
Version: 3.11.0CC: aos-bugs, jokerman
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-07 13:07:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christian Koep 2019-09-23 07:34:26 UTC 
Document URL:

https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/cluster_administration/admin-guide-sysctls

Section Number and Name:

34.5. Enabling unsafe sysctls

Describe the issue: 

An important information is missing. Users are required to add the unsafe sysctls they are trying to adjust to the allowedUnsafeSysctls list in a (preferably new) security context constraint (SCC) object:

[...]
allowedUnsafeSysctls:
- 'net.core.somaxconn'
[...]

Suggestions for improvement: 
Add something along the lines of what I have put into this solution: https://access.redhat.com/solutions/4307171 maybe?

Additional information: 
See private comments.
Comment 2 Kevin Lamenzo 2020-04-05 01:51:09 UTC 
Thanks @ckoep. I want to confirm that this is an additional step to what we have now. So the updated documentation will be along these lines.
1. Use the kubeletArguments field in the /etc/origin/node/node-config.yaml file, as described in Configuring Node Resources, to set the desired unsafe sysctls:

(Then, from your KB, thank you!)
2. Add the required sysctl parameter to the allowedUnsafeSysctls list in a (preferably new) security context constraint (SCC) object:

3. systemctl restart atomic-openshift-node

If you're unsure I will draft this up and ask QA if they can check.

Thanks!
Comment 3 Kevin Lamenzo 2020-04-05 02:19:59 UTC 
Here is a draft PR as well.
https://github.com/openshift/openshift-docs/pull/20914
Comment 5 Kevin Lamenzo 2020-04-06 15:00:59 UTC 
@xiyuan could you please review? Thank you.
Comment 6 MinLi 2020-04-28 03:05:27 UTC 
@ Kevin Lamenzo, according to https://docs.openshift.com/container-platform/3.11/admin_guide/sysctls.html#enabling-unsafe-sysctls

I think it's needed to add the unsafe sysctls to the DeploymentConfig for your pods.
Comment 7 Kevin Lamenzo 2020-05-07 01:38:48 UTC 
@MinLi I think we can close this. It looks like a separate BZ resolved the issue. PTAL https://bugzilla.redhat.com/show_bug.cgi?id=1811348
Comment 8 MinLi 2020-05-07 04:05:33 UTC 
@ Kevin Lamenzo, I 've checked and agreed with you , we can close this bz.
Comment 9 Kevin Lamenzo 2020-05-07 13:07:59 UTC 

*** This bug has been marked as a duplicate of bug 1811348 ***