Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sysctl options declared in config.json not applied to container #10790

Open
cweld510 opened this issue Aug 16, 2024 · 3 comments
Open

sysctl options declared in config.json not applied to container #10790

cweld510 opened this issue Aug 16, 2024 · 3 comments
Labels
type: bug Something isn't working

Comments

@cweld510
Copy link

Description

It seems that, when starting a container via runsc run from an OCI specification file, sysctl options in the specification file won't take effect inside the container.

Steps to reproduce

Make a rootfs directory and unpack a debian-slim image into it:
mkdir bundle && cd bundle && mkdir --mode=0755 rootfs
docker export $(docker create debian:bullseye-slim) | sudo tar -xf - -C rootfs --same-owner --same-permissions

Create a simple script in rootfs to dump a sysctl setting:

$ cat rootfs/test_script 
#!/bin/bash

cat /proc/sys/net/ipv4/tcp_keepalive_time

Generate a config.json: runsc spec -- /test_script

Add the following to the "linux" block of the config:

    "sysctl":{
    	"net.ipv4.tcp_keep_alive_time": "1000"
    }

Then sudo runsc run test_script will show a value of 7200, not 1000.

runsc version

runsc version 40a09da5a1ab
spec: 1.1.0-rc.1

docker version (if using docker)

No response

uname

Linux 5.15.0-101.103.2.1.el9uek.x86_64 #2 SMP Tue May 2 01:10:45 PDT 2023 x86_64 x86_64 x86_64 GNU/Linux

kubectl (if using Kubernetes)

No response

repo state (if built from source)

No response

runsc debug logs (if available)

No response
@cweld510 cweld510 added the type: bug Something isn't working label Aug 16, 2024
@ayushr2
Copy link
Collaborator

ayushr2 commented Aug 16, 2024

The following should be the right place to add support

gvisor/runsc/boot/loader.go

Lines 550 to 561 in 834bef5

if args.Spec.Linux != nil && args.Spec.Linux.Sysctl != nil {
if val, ok := args.Spec.Linux.Sysctl["fs.nr_open"]; ok {
nrOpen, err := strconv.Atoi(val)
if err != nil {
return nil, fmt.Errorf("setting fs.nr_open=%s: %w", val, err)
}
if nrOpen <= 0 || nrOpen > int(kernel.MaxFdLimit) {
return nil, fmt.Errorf("setting fs.nr_open=%s", val)
}
maxFDLimit = int32(nrOpen)
}
}

@ayushr2
Copy link
Collaborator

ayushr2 commented Aug 16, 2024

We seem to be always printing 7200 from /proc/sys/net/ipv4/tcp_keepalive_time:

gvisor/pkg/sentry/fsimpl/proc/tasks_sys.go

Line 124 in 834bef5

"tcp_keepalive_time": fs.newInode(ctx, root, 0444, newStaticFile("7200")),

Irrespective of what TCP endpoints use (which happens to be a constant for 7200 seconds):

gvisor/pkg/tcpip/transport/tcp/protocol.go

Lines 71 to 73 in 834bef5

// DefaultKeepaliveIdle is the idle time for a connection before keep-alive
// probes are sent.
DefaultKeepaliveIdle = 2 * time.Hour

@ayushr2
Copy link
Collaborator

ayushr2 commented Aug 16, 2024

cc @kevinGC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ayushr2 @cweld510