// setupKernelTunables validates kernel tunable flags are set as expected // depending upon the specified option, it will either warn, error, or modify the kernel tunable flags func setupKernelTunables(option KernelTunableBehavior) error { desiredState := map[string]int{ utilsysctl.VmOvercommitMemory: utilsysctl.VmOvercommitMemoryAlways, utilsysctl.VmPanicOnOOM: utilsysctl.VmPanicOnOOMInvokeOOMKiller, utilsysctl.KernelPanic: utilsysctl.KernelPanicRebootTimeout, utilsysctl.KernelPanicOnOops: utilsysctl.KernelPanicOnOopsAlways, } errList := []error{} for flag, expectedValue := range desiredState { val, err := utilsysctl.GetSysctl(flag) if err != nil { errList = append(errList, err) continue } if val == expectedValue { continue } switch option { case KernelTunableError: errList = append(errList, fmt.Errorf("Invalid kernel flag: %v, expected value: %v, actual value: %v", flag, expectedValue, val)) case KernelTunableWarn: glog.V(2).Infof("Invalid kernel flag: %v, expected value: %v, actual value: %v", flag, expectedValue, val) case KernelTunableModify: glog.V(2).Infof("Updating kernel flag: %v, expected value: %v, actual value: %v", flag, expectedValue, val) err = utilsysctl.SetSysctl(flag, expectedValue) if err != nil { errList = append(errList, err) } } } return utilerrors.NewAggregate(errList) }
func (plugin *NoopNetworkPlugin) Init(host Host, hairpinMode componentconfig.HairpinMode, nonMasqueradeCIDR string) error { // Set bridge-nf-call-iptables=1 to maintain compatibility with older // kubernetes versions to ensure the iptables-based kube proxy functions // correctly. Other plugins are responsible for setting this correctly // depending on whether or not they connect containers to Linux bridges // or use some other mechanism (ie, SDN vswitch). // Ensure the netfilter module is loaded on kernel >= 3.18; previously // it was built-in. utilexec.New().Command("modprobe", "br-netfilter").CombinedOutput() if err := utilsysctl.SetSysctl(sysctlBridgeCallIptables, 1); err != nil { glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIptables, err) } return nil }
func (plugin *kubenetNetworkPlugin) Init(host network.Host, hairpinMode componentconfig.HairpinMode, nonMasqueradeCIDR string) error { plugin.host = host plugin.hairpinMode = hairpinMode plugin.nonMasqueradeCIDR = nonMasqueradeCIDR plugin.cniConfig = &libcni.CNIConfig{ Path: []string{DefaultCNIDir, plugin.vendorDir}, } if link, err := findMinMTU(); err == nil { plugin.MTU = link.MTU glog.V(5).Infof("Using interface %s MTU %d as bridge MTU", link.Name, link.MTU) } else { glog.Warningf("Failed to find default bridge MTU: %v", err) } // Since this plugin uses a Linux bridge, set bridge-nf-call-iptables=1 // is necessary to ensure kube-proxy functions correctly. // // This will return an error on older kernel version (< 3.18) as the module // was built-in, we simply ignore the error here. A better thing to do is // to check the kernel version in the future. plugin.execer.Command("modprobe", "br-netfilter").CombinedOutput() err := utilsysctl.SetSysctl(sysctlBridgeCallIptables, 1) if err != nil { glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIptables, err) } plugin.loConfig, err = libcni.ConfFromBytes([]byte(`{ "cniVersion": "0.1.0", "name": "kubenet-loopback", "type": "loopback" }`)) if err != nil { return fmt.Errorf("Failed to generate loopback config: %v", err) } plugin.nsenterPath, err = plugin.execer.LookPath("nsenter") if err != nil { return fmt.Errorf("Failed to find nsenter binary: %v", err) } // Need to SNAT outbound traffic from cluster if err = plugin.ensureMasqRule(); err != nil { return err } return nil }