Loading...

XML

Word

Printable

Type: Bug
Resolution: Can't Do
Priority: Major
Fix Version/s: None
Affects Version/s: 4.14, 4.17
Component/s: Node / CRI-O
Labels:
- crio
- network
- sysctls
- triaged

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

 Failed to create pod sandbox due to failed to pin namespaces [0xc001e7df20 0xc001e7df50 0xc001e7df80]: [pinns:w]: failed to open /proc/sys/net/ipv4/tcp_max_orphans: No such file or directory

Version-Release number of selected component (if applicable):

    4.14.35, 4.17

How reproducible:

    100%

Steps to Reproduce:

    1. Create kubeletconfig to allow unsafe sysctls
~~~
cat kubeletconfig-sample.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
 name: custom-kubelet
spec:
 machineConfigPoolSelector:
  matchLabels:
    custom-kubelet: sysctl
 kubeletConfig:
  allowedUnsafeSysctls:
    - "net.ipv4.tcp_max_orphans"
~~~


    2. Verify at the node level, if the changes are pushed:
~~~
$ ssh core@worker1.example.com
$ sudo -i
# cat /etc/kubernetes/kubelet.conf  | grep "net.ipv4.tcp_max_orphans" -A2 -B2
  "containerLogMaxSize": "50Mi",
  "allowedUnsafeSysctls": [
    "net.ipv4.tcp_max_orphans"
  ],
  "logging": {
~~~

    3. Make sure that the respective network kernel parameter is present on the node
~~~
# cat /proc/sys/net/ipv4/tcp_max_orphans
32768
~~~

   4. Create a POD:
~~~
# cat pod-sample.yaml
apiVersion: v1
kind: Pod
metadata:
  name: test-sysctl
spec:
  securityContext:
    sysctls:
    - name: net.ipv4.tcp_max_orphans
      value: "10240"
  containers:
  - name: busybox
    image: busybox
    command: ['sh', '-c', 'sleep 3600']
    securityContext:
      runAsNonRoot: true
      runAsUser: 1000

# oc create -f pod-sample.yaml
~~~

5. Pod stuck in ContainerCreating state:
~~~
# oc get pods
NAME          READY   STATUS              RESTARTS   AGE
test-sysctl   0/1     ContainerCreating   0          43m
~~~

6. Unable to open `/proc/sys/net/ipv4/tcp_max_orphans`:
~~~
# oc describe pod test-sysctl
  Warning  FailedCreatePodSandBox  3m58s (x179 over 42m)  kubelet  (combined from similar events): Failed to create pod sandbox: rpc error: code = Unknown desc = failed to pin namespaces [0xc001ca92f0 0xc001ca9320 0xc001ca9350]: [pinns:w]: failed to open /proc/sys/net/ipv4/tcp_max_orphans: No such file or directory
~~~

Actual results:

    The pod stuck in ContainerCreating with the error `failed to open /proc/sys/net/ipv4/tcp_max_orphans: No such file or directory`

Expected results:

    The pod should come up in running state after allowing the unsafe sysctl.

Additional info:

Assignee:: Peter Hunt

Reporter:: Divyam Pateriya

Need Info From:: None

Contributors:: None

QA Contact:: None

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/11/28 10:58 AM

Updated:: 2025/09/12 7:21 PM

Resolved:: 2025/02/06 7:59 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates