From 303d5a16cb8f2ad2f36c231647d2561c9fc275d6 Mon Sep 17 00:00:00 2001 From: Dawn Chen Date: Fri, 20 May 2016 15:52:35 -0700 Subject: [PATCH 1/2] Config root_maxkeys to 1000000, root_maxbytes to 25000000 --- cmd/kubelet/app/server.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index 6e852cd5aed..f18457a8182 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -21,6 +21,7 @@ import ( "crypto/tls" "errors" "fmt" + "io/ioutil" "math/rand" "net" "net/http" @@ -668,6 +669,22 @@ func RunKubelet(kcfg *KubeletConfig) error { util.ApplyRLimitForSelf(kcfg.MaxOpenFiles) + // TODO(dawnchen): remove this once we deprecated old debian containervm images. + // This is a workaround for issue: https://github.com/opencontainers/runc/issues/726 + // The current chosen number is consistent with most of other os dist. + const maxkey_path = "/proc/sys/kernel/keys/root_maxkeys" + glog.Infof("Setting keys quota in %s to %d", maxkey_path, 1000000) + err = ioutil.WriteFile(maxkey_path, []byte(fmt.Sprintf("%d", uint32(1000000))), 0644) + if err != nil { + return fmt.Errorf("failed to update %s: %v", maxkey_path, err) + } + const maxbyte_path = "/proc/sys/kernel/keys/root_maxbytes" + glog.Infof("Setting keys bytes in %s to %d", maxbyte_path, 25000000) + err = ioutil.WriteFile(maxbyte_path, []byte(fmt.Sprintf("%d", uint32(25000000))), 0644) + if err != nil { + return fmt.Errorf("failed to update %s: %v", maxbyte_path, err) + } + // process pods and exit. if kcfg.Runonce { if _, err := k.RunOnce(podCfg.Updates()); err != nil { From a8ac041c44a55bba0eae9d29a5f8ecd5d6a6021a Mon Sep 17 00:00:00 2001 From: Dawn Chen Date: Mon, 23 May 2016 17:02:11 -0700 Subject: [PATCH 2/2] Config the root_maxkeys and root_maxbytes if the existing values are smaller than the default ones. --- cmd/kubelet/app/server.go | 36 ++++++++++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index f18457a8182..9bcbebc5ecd 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -672,17 +672,37 @@ func RunKubelet(kcfg *KubeletConfig) error { // TODO(dawnchen): remove this once we deprecated old debian containervm images. // This is a workaround for issue: https://github.com/opencontainers/runc/issues/726 // The current chosen number is consistent with most of other os dist. - const maxkey_path = "/proc/sys/kernel/keys/root_maxkeys" - glog.Infof("Setting keys quota in %s to %d", maxkey_path, 1000000) - err = ioutil.WriteFile(maxkey_path, []byte(fmt.Sprintf("%d", uint32(1000000))), 0644) + const maxkeysPath = "/proc/sys/kernel/keys/root_maxkeys" + const minKeys uint64 = 1000000 + key, err := ioutil.ReadFile(maxkeysPath) if err != nil { - return fmt.Errorf("failed to update %s: %v", maxkey_path, err) + glog.Errorf("Cannot read keys quota in %s", maxkeysPath) + } else { + fields := strings.Fields(string(key)) + nkey, _ := strconv.ParseUint(fields[0], 10, 64) + if nkey < minKeys { + glog.Infof("Setting keys quota in %s to %d", maxkeysPath, minKeys) + err = ioutil.WriteFile(maxkeysPath, []byte(fmt.Sprintf("%d", uint64(minKeys))), 0644) + if err != nil { + glog.Warningf("Failed to update %s: %v", maxkeysPath, err) + } + } } - const maxbyte_path = "/proc/sys/kernel/keys/root_maxbytes" - glog.Infof("Setting keys bytes in %s to %d", maxbyte_path, 25000000) - err = ioutil.WriteFile(maxbyte_path, []byte(fmt.Sprintf("%d", uint32(25000000))), 0644) + const maxbytesPath = "/proc/sys/kernel/keys/root_maxbytes" + const minBytes uint64 = 25000000 + bytes, err := ioutil.ReadFile(maxbytesPath) if err != nil { - return fmt.Errorf("failed to update %s: %v", maxbyte_path, err) + glog.Errorf("Cannot read keys bytes in %s", maxbytesPath) + } else { + fields := strings.Fields(string(bytes)) + nbyte, _ := strconv.ParseUint(fields[0], 10, 64) + if nbyte < minBytes { + glog.Infof("Setting keys bytes in %s to %d", maxbytesPath, minBytes) + err = ioutil.WriteFile(maxbytesPath, []byte(fmt.Sprintf("%d", uint64(minBytes))), 0644) + if err != nil { + glog.Warningf("Failed to update %s: %v", maxbytesPath, err) + } + } } // process pods and exit.