我想在我的 k8s 集群的 Pod 中设置 net.ipv4.tcp_timestamps=0,但是它给我错误:
sysctl: cannot stat /proc/sys/net/ipv4/tcp_timestamps: No such file or directory"
使用 docker run 命令直接创建的容器存在同样的问题。无论如何要在容器/Pod 中设置参数?谢谢。
最佳答案
在 Kubernetes 中,sysctl 被分为 safe 和 unsafe。
In addition to proper namespacing, a safe sysctl must be properly isolated between pods on the same node. This means that setting a safe sysctl for one pod
- must not have any influence on any other pod on the node
- must not allow to harm the node’s health
- must not allow to gain CPU or memory resources outside of the resource limits of a pod.
By far, most of the namespaced sysctls are not necessarily considered safe. The following sysctls are supported in the safe set:
kernel.shm_rmid_forced,net.ipv4.ip_local_port_range,net.ipv4.tcp_syncookies.
默认情况下,所有safe sysctls 都是默认启用的。
所有不安全的 sysctl 都被禁用,需要由每个节点上的集群管理员手动允许。
kubelet --allowed-unsafe-sysctls \ 'kernel.msg*,net.core.somaxconn' ...For Minikube, this can be done via the
extra-configflag:minikube start --extra-config="kubelet.allowed-unsafe-sysctls=kernel.msg*,net.core.somaxconn"...Only namespaced sysctls can be enabled this way.
这是在 Enabling Unsafe Sysctls 上提到的k8s 文档。
至于,Setting Sysctls for a Pod :
A number of sysctls are namespaced in today’s Linux kernels. This means that they can be set independently for each pod on a node. Only namespaced sysctls are configurable via the pod securityContext within Kubernetes.
The following sysctls are known to be namespaced. This list could change in future versions of the Linux kernel. -
kernel.shm*, -kernel.msg*, -kernel.sem, -fs.mqueue.*, - The parameters undernet.*that can be set in container networking namespace. However, there are exceptions (e.g.,net.netfilter.nf_conntrack_maxandnet.netfilter.nf_conntrack_expect_maxcan be set in container networking namespace but they are unnamespaced).Sysctls with no namespace are called node-level sysctls. If you need to set them, you must manually configure them on each node’s operating system, or by using a DaemonSet with privileged containers.
Use the pod securityContext to configure namespaced sysctls. The securityContext applies to all containers in the same pod.
This example uses the pod securityContext to set a safe sysctl
kernel.shm_rmid_forcedand two unsafe sysctlsnet.core.somaxconnandkernel.msgmax. There is no distinction between safe and unsafe sysctls in the specification.
apiVersion: v1
kind: Pod
metadata:
name: sysctl-example
spec:
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
value: "0"
- name: net.core.somaxconn
value: "1024"
- name: kernel.msgmax
value: "65536"
...
您可能有兴趣阅读 StackOverflow 上的以下问题 Pros and cons of disabling TCP timestamps和 What benefit is conferred by TCP timestamp? .
关于kubernetes - 在 Pod 中设置 net.ipv4.tcp_timestamps=0,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60135914/