Skip to content
This repository has been archived by the owner on Aug 14, 2020. It is now read-only.

ace: add sysctl isolator #645

Closed
lucab opened this issue Aug 11, 2016 · 3 comments
Closed

ace: add sysctl isolator #645

lucab opened this issue Aug 11, 2016 · 3 comments

Comments

@lucab
Copy link
Contributor

lucab commented Aug 11, 2016
edited
Loading

Applications running inside pods may need to tweak several namespaced sysctl parameters. There is a need for executor to support this (rkt/rkt#2694), and OCI Linux runtime manifest already features a sysctl stanza (https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#sysctl).

In short, ACE should provide an os/linux/sysctl isolator.
@jonboulle
Copy link
Contributor

At what level would you expect this to work? (app vs pod vs both)

@lucab
Copy link
Contributor Author

lucab commented Aug 12, 2016

This conceptually would be "pod, only". Current k8s proposal also goes into that direction.

However, it is my understanding that OCI runtime spec defines this per-app. I'm not sure how k8s will address this when integrating CRI + sysctl + OCI (some discussion here).

Looking forward to an OCI transition, an alternative approach would be to define those per-app and also specify the behavior when stacking multiple apps in a pod (in this case: merge with some priority ordering for conflicting entries).

Another open question would be: should specs take care of specifying allowed value, e.g. a whitelist of sysctl prefixes? (My personal opinion is that this should be left to implementations to decide).

@jonboulle
Copy link
Contributor

On 12 August 2016 at 12:43, Luca Bruno notifications@github.com wrote:

However, it is my understanding that OCI runtime spec defines
https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#sysctl
this per-app. I'm not sure how k8s will address this when integrating CRI +
sysctl + OCI (some discussion here
https://github.com/kubernetes/kubernetes/pull/25899/files#r64867763).

Looking forward to an OCI transition, an alternative approach would be to
define those per-app and also specify the behavior when stacking multiple
apps in a pod (in this case: merge with some priority ordering for
conflicting entries).

Thinking about this a bit more: it really doesn't seem coherent to have
per-app sysctl settings in the absence of "sysctl namespaces". The only
benefit see in allowing such granularity is if we anticipate that such
support would be added to the kernel and/or OCI, but that's probably a long
way out. I think OCI just supports it at the per-app level because that's
the minimum and maximum execution unit they define. So it seems to me it'd
be reasonable to have this per-pod in appc.

Another open question would be: should specs take care of specifying
allowed value, e.g. a whitelist of sysctl prefixes? (My personal opinion is
that this should be left to implementations to decide).

Agreed, but we might want to comment here on the network namespace
exceptions.

@lucab lucab mentioned this issue Aug 17, 2016
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lucab @jonboulle