Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Docker driver] - Adding support for sysctl and ulimit configuration #2501

Closed
wants to merge 6 commits into from
Closed

[Docker driver] - Adding support for sysctl and ulimit configuration #2501

wants to merge 6 commits into from

Conversation

samber
Copy link
Contributor

@samber samber commented Mar 29, 2017
edited
Loading 

task "db" {
    driver = "docker"
    config {
      image: "redis:3.2"
      sysctl {
        net.core.somaxconn = "16384"
      }
      ulimit {
        nproc = "4242"
        nofile = "2048:4096"
      }
    }
}

@samber samber force-pushed the driver-docker-sysctl-ulimit branch 4 times, most recently from 5cebee5 to 54cc9e2 Compare March 30, 2017 15:55
jippi
jippi reviewed Mar 30, 2017
View reviewed changes
client/driver/docker.go Outdated
@@ -142,6 +142,10 @@ type DockerDriverConfig struct {
PortMapRaw []map[string]int `mapstructure:"port_map"` //
PortMap map[string]int `mapstructure:"-"` // A map of host port labels and the ports exposed on the container
Privileged bool `mapstructure:"privileged"` // Flag to run the container in privileged mode
SysctlsRaw []map[string]string `mapstructure:"sysctls"` //
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

think the mapstructure here should be sysctl (singular) like all the other keys

client/driver/docker.go Outdated
@@ -142,6 +142,10 @@ type DockerDriverConfig struct {
PortMapRaw []map[string]int `mapstructure:"port_map"` //
PortMap map[string]int `mapstructure:"-"` // A map of host port labels and the ports exposed on the container
Privileged bool `mapstructure:"privileged"` // Flag to run the container in privileged mode
SysctlsRaw []map[string]string `mapstructure:"sysctls"` //
Sysctls map[string]string `mapstructure:"-"` // The sysctl custom configurations
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

singular here too(?)

client/driver/docker.go Outdated
@@ -142,6 +142,10 @@ type DockerDriverConfig struct {
PortMapRaw []map[string]int `mapstructure:"port_map"` //
PortMap map[string]int `mapstructure:"-"` // A map of host port labels and the ports exposed on the container
Privileged bool `mapstructure:"privileged"` // Flag to run the container in privileged mode
SysctlsRaw []map[string]string `mapstructure:"sysctls"` //
Sysctls map[string]string `mapstructure:"-"` // The sysctl custom configurations
UlimitsRaw []map[string]string `mapstructure:"ulimits"` //
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and here?

client/driver/docker.go Outdated
SysctlsRaw []map[string]string `mapstructure:"sysctls"` //
Sysctls map[string]string `mapstructure:"-"` // The sysctl custom configurations
UlimitsRaw []map[string]string `mapstructure:"ulimits"` //
Ulimits []docker.ULimit `mapstructure:"-"` // The ulimit custom configurations
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and here?

@ashald
Copy link

ashald commented Mar 30, 2017
edited
Loading

Is there is reason this must be docker specific? It'd be nice if was supported for all drivers (or at least exec/other containers), xref: #2352

@samber samber force-pushed the driver-docker-sysctl-ulimit branch 2 times, most recently from afb7ca9 to cf248e6 Compare March 31, 2017 08:33
@samber
Copy link
Contributor Author

samber commented Mar 31, 2017
edited
Loading

@jippi I made some fixes

CI does not pass, I think it's due to master branch

@samber samber force-pushed the driver-docker-sysctl-ulimit branch from cf248e6 to 175646e Compare April 3, 2017 08:13
@samber samber force-pushed the driver-docker-sysctl-ulimit branch from 175646e to 26ffff7 Compare April 3, 2017 08:34
@samber
Copy link
Contributor Author

samber commented Apr 3, 2017

rebased, CI passing

@lfarnell
Copy link
Contributor

lfarnell commented Apr 3, 2017

I would agree with @ashald on this. If you're going to do it for container's at the least, you should do it for rkt as well. Not to mention other drivers would be benefit from this.

@samber
Copy link
Contributor Author

samber commented Apr 3, 2017

@lfarnell @ashald ok, some PRs should follow this one very soon, for other drivers

@dadgar
Copy link
Contributor

dadgar commented Apr 3, 2017

Hey all, we are looking into adding a new stanza so this can be abstracted to all relevant drivers in 0.6.0. There won't be much activity on this PR until we have that design finalized.

@nanoz
Copy link
Contributor

nanoz commented May 4, 2017

Any news on this @dadgar regarding the design of the sysctl stanza ? Not being able to configure somaxconn params and the like is a show stopper for production use

@samber
Copy link
Contributor Author

samber commented May 5, 2017

If I can help in any way, just let me know ;)

@nanoz
Copy link
Contributor

nanoz commented Jun 14, 2017
edited
Loading

Hello @dadgar, any update on this issue? Do you now know what this generic stanza would look like? We are ready to work on a PR as soon as we have this information.

We are really looking for this feature :)

@commarla
Copy link

Hey,
Do you have any news on this ? Thanks.

@commarla
Copy link

Hey @dadgar any news on this ? Thanks

@jippi
Copy link
Contributor

jippi commented Nov 13, 2017

will sysctl and ulimit complain if you are trying to change a property that isn't within a cgroup?

as an example redis expect vm.overcommit_memory=1, which isn't currently implemented as a cgroup property, and thus will affect the entire host system - i would not want those to be applied outside my containers scope, and thus those should fail hard rather than being silently ignored or even applied

@commarla
Copy link

Hi @jippi,

no it doesn't, if I start my container in privileged mode and run sysctl vm.overcommit_memory=1. It affects the whole system and not only the container.

@jippi
Copy link
Contributor

jippi commented Nov 13, 2017

@commarla thats fine and expected, but what will the behaviour be if you start the container in non-privileged mode? just silently ignored?

@commarla
Copy link

@jippi it fails with an error

root@439a24aaa498:/data# sysctl vm.overcommit_memory=1
sysctl: setting key "vm.overcommit_memory": Read-only file system
root@439a24aaa498:/data# echo $?
255

@jippi
Copy link
Contributor

jippi commented Nov 13, 2017

same behaviour if you do like below?

task "redis" {
    driver = "docker"
    config {
      image: "redis:3.2"
      sysctl {
        vm.overcommit_memory = "1"
      }
    }
}

@commarla
Copy link

I don't understand. sysctl is not a valid field. It is the purpose of this PR.

@jippi
Copy link
Contributor

jippi commented Nov 13, 2017

yes, my question is, what will the behaviour be once this PR is merged in, when providing sysctl{} that can't be applied within a cgroup, or that is launched without priviledged access

@commarla
Copy link

commarla commented Nov 13, 2017
edited
Loading

Ok the result should be the same than running this command

❯ docker run --rm --sysctl="vm.overcommit_memory=1" redis:3.2
invalid argument "vm.overcommit_memory=1" for --sysctl=vm.overcommit_memory=1: sysctl 'vm.overcommit_memory=1' is not whitelisted
See 'docker run --help'.

docker only allow whitelisted sysctls options, see at the end of this page https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime

With a whitelisted sysctl it works:

docker run --rm --sysctl="net.core.somaxconn=16384" redis:3.2
Unable to find image 'redis:3.2' locally
3.2: Pulling from library/redis
d13d02fa248d: Pull complete
039f8341839e: Pull complete

@jippi
Copy link
Contributor

jippi commented Nov 13, 2017

great - couldn't be happier with this PR then :)

@nanoz
Copy link
Contributor

nanoz commented Nov 17, 2017

How about merging this as is and create a second PR with rkt support later?
Right now, I need to maintain a prestart script and run containers as privileged because of this missing feature and Im not confortable with the level of security it implies.

@ashald
Copy link

ashald commented Nov 17, 2017

We're using rkt and this feature is important for us as well so I hope we won't postpone rkt too much. :)

@preetapan
Copy link
Contributor

Closing this in favor of #3568 where I rebased and fixed merge conflicts. That PR preserves commit history

@preetapan preetapan closed this Nov 17, 2017
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 17, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jippi jippi jippi left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@samber @ashald @lfarnell @dadgar @nanoz @commarla @jippi @preetapan