Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-45164

Unable to create pod with unsafe sysctl parameter `net.ipv4.tcp_max_orphans`

XMLWordPrintable

    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:

       Failed to create pod sandbox due to failed to pin namespaces [0xc001e7df20 0xc001e7df50 0xc001e7df80]: [pinns:w]: failed to open /proc/sys/net/ipv4/tcp_max_orphans: No such file or directory

      Version-Release number of selected component (if applicable):

          4.14.35, 4.17

      How reproducible:

          100%

      Steps to Reproduce:

          1. Create kubeletconfig to allow unsafe sysctls
      ~~~
      cat kubeletconfig-sample.yaml
      apiVersion: machineconfiguration.openshift.io/v1
      kind: KubeletConfig
      metadata:
       name: custom-kubelet
      spec:
       machineConfigPoolSelector:
        matchLabels:
          custom-kubelet: sysctl
       kubeletConfig:
        allowedUnsafeSysctls:
          - "net.ipv4.tcp_max_orphans"
      ~~~
      
      
          2. Verify at the node level, if the changes are pushed:
      ~~~
      $ ssh core@worker1.example.com
      $ sudo -i
      # cat /etc/kubernetes/kubelet.conf  | grep "net.ipv4.tcp_max_orphans" -A2 -B2
        "containerLogMaxSize": "50Mi",
        "allowedUnsafeSysctls": [
          "net.ipv4.tcp_max_orphans"
        ],
        "logging": {
      ~~~
      
          3. Make sure that the respective network kernel parameter is present on the node
      ~~~
      # cat /proc/sys/net/ipv4/tcp_max_orphans
      32768
      ~~~
      
         4. Create a POD:
      ~~~
      # cat pod-sample.yaml
      apiVersion: v1
      kind: Pod
      metadata:
        name: test-sysctl
      spec:
        securityContext:
          sysctls:
          - name: net.ipv4.tcp_max_orphans
            value: "10240"
        containers:
        - name: busybox
          image: busybox
          command: ['sh', '-c', 'sleep 3600']
          securityContext:
            runAsNonRoot: true
            runAsUser: 1000
      
      # oc create -f pod-sample.yaml
      ~~~
      
      5. Pod stuck in ContainerCreating state:
      ~~~
      # oc get pods
      NAME          READY   STATUS              RESTARTS   AGE
      test-sysctl   0/1     ContainerCreating   0          43m
      ~~~
      
      6. Unable to open `/proc/sys/net/ipv4/tcp_max_orphans`:
      ~~~
      # oc describe pod test-sysctl
        Warning  FailedCreatePodSandBox  3m58s (x179 over 42m)  kubelet  (combined from similar events): Failed to create pod sandbox: rpc error: code = Unknown desc = failed to pin namespaces [0xc001ca92f0 0xc001ca9320 0xc001ca9350]: [pinns:w]: failed to open /proc/sys/net/ipv4/tcp_max_orphans: No such file or directory
      ~~~
      
      

       

      Actual results:

          The pod stuck in ContainerCreating with the error `failed to open /proc/sys/net/ipv4/tcp_max_orphans: No such file or directory`

      Expected results:

          The pod should come up in running state after allowing the unsafe sysctl.

      Additional info:

          

              pehunt@redhat.com Peter Hunt
              rhn-support-dpateriy Divyam Pateriya
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: