Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1893607

Summary: [DOC] Missing information on how to enable unsafe sysctls in OpenShift 4
Product: OpenShift Container Platform Reporter: yhe
Component: DocumentationAssignee: Shubha Narayanan <snarayan>
Status: CLOSED NOTABUG QA Contact: yhe
Severity: medium Docs Contact: Latha S <lmurthy>
Priority: medium    
Version: 4.5CC: aos-bugs, jokerman, lmurthy, vigoyal
Target Milestone: ---   
Target Release: 4.5.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-05 06:52:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description yhe 2020-11-02 06:24:51 UTC 
Document URL: 
https://docs.openshift.com/container-platform/4.5/nodes/containers/nodes-containers-sysctls.html#nodes-containers-sysctls-unsafe_nodes-containers-using

Section Number and Name: 
Enabling unsafe sysctls

Describe the issue: 
A necessary step is missing. Users are required to add the unsafe sysctls they are trying to adjust to the allowedUnsafeSysctls list in a security context constraint (SCC) object:

[...]
allowedUnsafeSysctls:
- 'net.core.somaxconn'
[...]

Suggestions for improvement: 
This step has already been added to the OCP3 document, and the same fix needs to be done to the OCP4 document too.
Related OCP3 document: https://docs.openshift.com/container-platform/3.11/admin_guide/sysctls.html#enabling-unsafe-sysctls
Related Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1754403
Related KCS: https://access.redhat.com/solutions/4307171

Additional information:
Comment 2 Shubha Narayanan 2021-07-29 06:03:15 UTC 
Yiyong,

In step 2, we have
 
allowedUnsafeSysctls: 
      - "kernel.msg*"
      - "net.core.somaxconn"

Is this what was expected or is there something more that you want to have added?
Comment 3 Shubha Narayanan 2021-08-02 13:03:34 UTC 
I see that all the related links and customer issues are tied to 3.11. OCP 4 onwards kubeletConfig is used and hence the steps are different. Ryan Philips confirmed that there are no missing steps currently for OCP 4.
@nkono - Can you verify the steps provided in the document for 4.6+ versions and let us know if there are any missing steps?
Comment 4 Shubha Narayanan 2021-08-02 13:03:53 UTC 
I see that all the related links and customer issues are tied to 3.11. OCP 4 onwards kubeletConfig is used and hence the steps are different. Ryan Philips confirmed that there are no missing steps currently for OCP 4.
@nkono - Can you verify the steps provided in the document for 4.6+ versions and let us know if there are any missing steps?
Comment 5 Shubha Narayanan 2021-08-05 06:52:48 UTC 
As per my conversation with Yiyong He, since the steps are different from OCP 3 and there are no missing steps for OCP 4 and the case is already being closed at the customer's request, it is ok for him to close the Bugzilla with NOTABUG for now.