Thanks to visit codestin.com
Credit goes to github.com

Skip to content

kubelet & kube-proxy: ignore sysctl errors and rlimit errors when running in UserNS (for rootless) #92863

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 8, 2021
Merged

kubelet & kube-proxy: ignore sysctl errors and rlimit errors when running in UserNS (for rootless) #92863

merged 4 commits into from
Jul 8, 2021

Conversation

AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Jul 7, 2020
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:
Ignore sysctl errors and rlimit errors when running in UserNS.

These changes are required for Rootless mode. See KEP for the further information.

Special notes for your reviewer:

How to test rootless mode with this PR:

To run the smoke test suite, run ./hack/smoketest-binaries.sh instead of ./install.sh ....

After this PR gets merged, I'm planning to add kind tests with Rootless Docker (or Podman).

Does this PR introduce a user-facing change?:

Adds feature gate `KubeletInUserNamespace` which enables support for running kubelet in a user namespace.

The user namespace has to be created before running kubelet.
All the node components such as CRI need to be running in the same user namespace.

When the feature gate is enabled, kubelet ignores errors that happens during setting the following sysctl values: `vm.overcommit_memory`, `vm.panic_on_oom`, `kernel.panic`, `kernel.panic_on_oops`, `kernel.keys.root_maxkeys`, `kernel.keys.root_maxbytes`. (These sysctl values for the host, not for the containers)

kubelet also ignores an error during opening `/dev/kmsg`.
This feature gate also allows kube-proxy to ignore an error during setting `RLIMIT_NOFILE`.

This feature gate is especially useful for running Kubernetes inside Rootless Docker/Podman with `kind` or `minikube`.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless

The patches are from Usernetes project: https://github.com/rootless-containers/usernetes/tree/master/src/patches/kubernetes

KEP: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless
Tracking issue: kubernetes/enhancements#2033
Documentation PR: kubernetes/website#28827

kubelet changes

Ignore errors that happens during setting the following sysctl values:

  • vm.overcommit_memory
  • vm.panic_on_oom
  • kernel.panic
  • kernel.panic_on_oops
  • kernel.keys.root_maxkeys
  • kernel.keys.root_maxbytes

Also ignores an error during opening /dev/kmsg.

Gated by KubeletInUserNamespace feature gate.

kube-proxy changes

Ignore an error during setting RLIMIT_NOFILE

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jul 7, 2020
@k8s-ci-robot
Copy link
Contributor

Hi @AkihiroSuda. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 7, 2020
@AkihiroSuda
Copy link
Member Author

cc @giuseppe @cyphar @rhatdan @KentaTada FYI

@k8s-ci-robot k8s-ci-robot added area/kubelet area/test kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API sig/network Categorizes an issue or PR as relevant to SIG Network. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jul 7, 2020
@AkihiroSuda AkihiroSuda mentioned this pull request Jul 7, 2020
Merged
@hakman
Copy link
Member

hakman commented Jul 7, 2020

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 7, 2020
@fejta-bot
Copy link

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

tedyu
tedyu reviewed Jul 8, 2020
View reviewed changes
@AkihiroSuda
Copy link
Member Author

/retest

@AkihiroSuda
Copy link
Member Author

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

This PR doesn't change any API other than KubeletConfiguration, which seems out of the scope of "API change"

@AkihiroSuda
Copy link
Member Author

CI failure doesn't seem related

giuseppe
giuseppe reviewed Jul 8, 2020
View reviewed changes
SergeyKanzhelev
SergeyKanzhelev reviewed Jul 9, 2020
View reviewed changes
@AkihiroSuda
Copy link
Member Author

CI failure is unrelated 

I0705 07:27:49.411] NAME                 STATUS      MESSAGE                                                                                       ERROR
I0705 07:27:49.412] scheduler            Unhealthy   Get "http://127.0.0.1:10251/healthz": dial tcp 127.0.0.1:10251: connect: connection refused   
I0705 07:27:49.412] etcd-0               Healthy     {"health":"true","reason":""}                                                                 
I0705 07:27:49.412] etcd-1               Healthy     {"health":"true","reason":""}                                                                 
I0705 07:27:49.413] controller-manager   Healthy     ok                                                                                            
I0705 07:27:49.415] Validation returned one or more failed components. Cluster is probably broken.

https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/92863/pull-kubernetes-e2e-gce-alpha-features/1411942353094053888/

/retest

@AkihiroSuda
Copy link
Member Author

/retest

@aojea
Copy link
Member

aojea commented Jul 5, 2021

/approve
sig-network changes

@neolit123
Copy link
Member

Added support for rootless mode

i recommend amending the release note to be more specific of what the change is about and what components are being modified.

@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented Jul 6, 2021
edited
Loading

@neolit123

Updated.

Adds feature gate `KubeletInUserNamespace` which enables support for running kubelet in a user namespace.

The user namespace has to be created before running kubelet.
All the node components such as CRI need to be running in the same user namespace.

When the feature gate is enabled, kubelet ignores errors that happens during setting the following sysctl values: `vm.overcommit_memory`, `vm.panic_on_oom`, `kernel.panic`, `kernel.panic_on_oops`, `kernel.keys.root_maxkeys`, `kernel.keys.root_maxbytes`. (These sysctl values for the host, not for the containers)

kubelet also ignores an error during opening `/dev/kmsg`.
This feature gate also allows kube-proxy to ignore an error during setting `RLIMIT_NOFILE`.

This feature gate is especially useful for running Kubernetes inside Rootless Docker/Podman with `kind` or `minikube`.

/retest

@AkihiroSuda
Copy link
Member Author

/retest

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 6, 2021
@AkihiroSuda
New feature gate: KubeletInUserNamespace
b16323e 
Enables support for running kubelet in a user namespace.
The user namespace has to be created before running kubelet.
All the node components such as CRI need to be running in the same user namespace.

See kubernetes/enhancements PR 1371 (merged) and issue 2033.

Signed-off-by: Akihiro Suda <[email protected]>
@AkihiroSuda
kubelet/cm: ignore sysctl error when running in userns
dbe0155 
Errors during setting the following sysctl values are ignored:
- vm.overcommit_memory
- vm.panic_on_oom
- kernel.panic
- kernel.panic_on_oops
- kernel.keys.root_maxkeys
- kernel.keys.root_maxbytes

Signed-off-by: Akihiro Suda <[email protected]>
@AkihiroSuda
kube-proxy: allow running in userns
192790c 
Ignore an error during setting RLIMIT_NOFILE.

Signed-off-by: Akihiro Suda <[email protected]>
@AkihiroSuda
kubelet: ignore /dev/kmsg error when running in userns
26e83ac 
oomwatcher.NewWatcher returns "open /dev/kmsg: operation not permitted" error,
when running with sysctl value `kernel.dmesg_restrict=1`.

The error is negligible for KubeletInUserNamespace.

Signed-off-by: Akihiro Suda <[email protected]>
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 7, 2021
@AkihiroSuda
Copy link
Member Author

Rebased

@AkihiroSuda
Copy link
Member Author

@kubernetes/sig-node-pr-reviews Can we get this reviewed before v1.22 Code Freeze on July 8th? 🙏

@AkihiroSuda AkihiroSuda mentioned this pull request Jul 7, 2021
Merged
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jul 7, 2021
edited
Loading

@AkihiroSuda: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
pull-kubernetes-e2e-gce-alpha-features 26e83ac link /test pull-kubernetes-e2e-gce-alpha-features

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@dims
Copy link
Member

dims commented Jul 7, 2021

/skip

@dims
Copy link
Member

dims commented Jul 7, 2021

/hold cancel

the KEP is ready for 1.22

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 7, 2021
ehashman
ehashman reviewed Jul 7, 2021
View reviewed changes
Copy link
Member

@ehashman ehashman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 7, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: AkihiroSuda, aojea, dims, kolyshkin, mrunalp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 7, 2021
@k8s-ci-robot k8s-ci-robot merged commit ebbe63f into kubernetes:master Jul 8, 2021
@AkihiroSuda
Copy link
Member Author

Thanks all for reviewing and approval!

Opened a doc PR: kubernetes/website#28827

@mengjiao-liu mengjiao-liu mentioned this pull request Jul 15, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Random-Liu Random-Liu Awaiting requested review from Random-Liu

@SergeyKanzhelev SergeyKanzhelev Awaiting requested review from SergeyKanzhelev

7 more reviewers

@giuseppe giuseppe giuseppe left review comments

@cbandy cbandy cbandy left review comments

@tedyu tedyu tedyu left review comments

@ehashman ehashman ehashman requested changes

@aojea aojea aojea left review comments

@mrunalp mrunalp mrunalp approved these changes

@kolyshkin kolyshkin kolyshkin approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@dims dims

@ehashman ehashman

@derekwaynecarr derekwaynecarr

@SergeyKanzhelev SergeyKanzhelev

@andrewsykim andrewsykim

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubelet area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/network Categorizes an issue or PR as relevant to SIG Network. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
SIG Node CI/Test Board
Archived in project
SIG Node: code and documentation PRs
Archived in project
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.