Skip to content

Commit

Permalink
Add sysctl (opensearch-project#278)
Browse files Browse the repository at this point in the history
Signed-off-by: amirgo1 <amirgoro1@gmail.com>

Signed-off-by: amirgo1 <amirgoro1@gmail.com>
Co-authored-by: Peter Zhu <zhujiaxi@amazon.com>
  • Loading branch information
amirgo1 and peterzhuamazon authored Nov 11, 2022
1 parent aca0199 commit ed23505
Show file tree
Hide file tree
Showing 8 changed files with 71 additions and 8 deletions.
12 changes: 11 additions & 1 deletion charts/opensearch/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Fixed
### Security
---
## [2.7.0]
### Added
- Add option to enable the use of `sysctlInit` to set sysctl vm.max_map_count through privileged `initContainer`. See: [Issue #87](https://github.com/opensearch-project/helm-charts/issues/87)
### Changed
### Deprecated
### Removed
### Fixed
### Security
---
## [2.6.2]
### Added
- Liveness probe for statefulset
Expand Down Expand Up @@ -122,7 +131,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Security


[Unreleased]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.6.2...HEAD
[Unreleased]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.7.0...HEAD
[2.7.0]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.6.1...opensearch-2.7.0
[2.6.2]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.6.1...opensearch-2.6.2
[2.6.1]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.6.0...opensearch-2.6.1
[2.6.0]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.5.0...opensearch-2.6.0
Expand Down
2 changes: 1 addition & 1 deletion charts/opensearch/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 2.6.2
version: 2.7.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
2 changes: 1 addition & 1 deletion charts/opensearch/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ helm uninstall my-release
| `service.transportPortName` | The name of the transport port within the service | `transport` |
| `service.type` | OpenSearch [Service Types][] | `ClusterIP` |
| `sidecarResources` | Allows you to set the [resources][] for the sidecar containers in the StatefulSet | {} |
| `sysctlInitContainer` | Allows you to disable the `sysctlInitContainer` if you are setting sysctl vm.max_map_count` with another method | `enabled: true` |
| `sysctlInit` | Allows you to enable the `sysctlInit` to set sysctl vm.max_map_count through privileged `initContainer`. | `enabled: false` |
| `sysctlVmMaxMapCount` | Sets the [vm.max_map_count][] needed for OpenSearch | `262144` |
| `terminationGracePeriod` | The [terminationGracePeriod][] in seconds used when trying to stop the pod | `120` |
| `tolerations` | Configurable [tolerations][] | `[]` |
Expand Down
11 changes: 10 additions & 1 deletion charts/opensearch/ci/ci-ingress-class-name-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -407,11 +407,20 @@ networkPolicy:
# please use the above podSecurityContext.fsGroup instead
fsGroup: ""

## Set optimal sysctl's. This requires privilege. Can be disabled if
## Set optimal sysctl's through securityContext. This requires privilege. Can be disabled if
## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html)
## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
sysctl:
enabled: false

## Set optimal sysctl's through privileged initContainer.
sysctlInit:
enabled: true
# override image, which is busybox by default
# image: busybox
# override image tag, which is latest by default
# imageTag:

## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image.
plugins:
enabled: false
Expand Down
10 changes: 9 additions & 1 deletion charts/opensearch/ci/ci-rbac-enabled-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -407,12 +407,20 @@ networkPolicy:
# please use the above podSecurityContext.fsGroup instead
fsGroup: ""

## Set optimal sysctl's. This requires privilege. Can be disabled if
## Set optimal sysctl's through securityContext. This requires privilege. Can be disabled if
## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html)
## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
sysctl:
enabled: false

## Set optimal sysctl's through privileged initContainer.
sysctlInit:
enabled: false
# override image, which is busybox by default
# image: busybox
# override image tag, which is latest by default
# imageTag:

## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image.
plugins:
enabled: false
Expand Down
10 changes: 9 additions & 1 deletion charts/opensearch/ci/ci-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -394,12 +394,20 @@ networkPolicy:
# please use the above podSecurityContext.fsGroup instead
fsGroup: ""

## Set optimal sysctl's. This requires privilege. Can be disabled if
## Set optimal sysctl's through securityContext. This requires privilege. Can be disabled if
## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html)
## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
sysctl:
enabled: false

## Set optimal sysctl's through privileged initContainer.
sysctlInit:
enabled: false
# override image, which is busybox by default
# image: busybox
# override image tag, which is latest by default
# imageTag:

## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image.
plugins:
enabled: false
Expand Down
22 changes: 21 additions & 1 deletion charts/opensearch/templates/statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ spec:
{{- if .Values.hostAliases }}
hostAliases: {{ toYaml .Values.hostAliases | nindent 8 }}
{{- end }}
{{- if or (.Values.extraInitContainers) (.Values.keystore) (.Values.persistence.enabled) }}
{{- if or (.Values.extraInitContainers) (.Values.keystore) (.Values.persistence.enabled) (.Values.sysctlInit.enabled) }}
initContainers:
{{- if and .Values.persistence.enabled .Values.persistence.enableInitChown }}
- name: fsgroup-volume
Expand All @@ -236,6 +236,26 @@ spec:
- name: "{{ template "opensearch.uname" . }}"
mountPath: {{ .Values.opensearchHome }}/data
{{- end }}
{{- if .Values.sysctlInit.enabled }}
- name: sysctl
image: "{{ template "opensearch.dockerRegistry" . }}{{ .Values.sysctlInit.image | default "busybox" }}:{{ .Values.sysctlInit.imageTag | default "latest" }}"
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
command:
- sh
- -c
- |
set -xe
DESIRED="{{ .Values.sysctlVmMaxMapCount }}"
CURRENT=$(sysctl -n vm.max_map_count)
if [ "$DESIRED" -gt "$CURRENT" ]; then
sysctl -w vm.max_map_count=$DESIRED
fi
securityContext:
runAsUser: 0
privileged: true
resources:
{{ toYaml .Values.initResources | nindent 10 }}
{{- end }}
{{ if .Values.keystore }}
- name: keystore
image: "{{ template "opensearch.dockerRegistry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
Expand Down
10 changes: 9 additions & 1 deletion charts/opensearch/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -427,12 +427,20 @@ networkPolicy:
# please use the above podSecurityContext.fsGroup instead
fsGroup: ""

## Set optimal sysctl's. This requires privilege. Can be disabled if
## Set optimal sysctl's through securityContext. This requires privilege. Can be disabled if
## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html)
## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
sysctl:
enabled: false

## Set optimal sysctl's through privileged initContainer.
sysctlInit:
enabled: false
# override image, which is busybox by default
# image: busybox
# override image tag, which is latest by default
# imageTag:

## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image.
plugins:
enabled: false
Expand Down

0 comments on commit ed23505

Please sign in to comment.