Xenial containers fail to apply sysctl (procps)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Critical
|
Jean-Philippe Evrard |
Bug Description
procps which applies values from /etc/sysctl.d/* fails to start in our Xenial LXC containers because the /proc/sys directory is not read-write inside the container:
● systemd-
Loaded: loaded (/lib/systemd/
Active: inactive (dead)
Condition: start condition failed at Tue 2017-03-07 17:14:49 CST; 1 months 16 days ago
Docs: man:systemd-
# grep 'Condition' /lib/systemd/
ConditionPathIs
# ls -lha /proc/sys/
total 0
dr-xr-xr-x 1 root root 0 Mar 7 17:14 .
dr-xr-xr-x 1169 root root 0 Mar 7 17:14 ..
dr-xr-xr-x 1 root root 0 Apr 23 19:01 abi
dr-xr-xr-x 1 root root 0 Apr 23 19:01 debug
dr-xr-xr-x 1 root root 0 Apr 23 19:01 dev
dr-xr-xr-x 1 root root 0 Mar 7 18:50 fs
dr-xr-xr-x 1 root root 0 Mar 7 17:14 kernel
dr-xr-xr-x 1 root root 0 Mar 7 17:14 net
dr-xr-xr-x 1 root root 0 Apr 23 19:01 vm
Not sure yet if this is an OSA container configuration bug or an upstream issue.
Changed in openstack-ansible: | |
status: | New → Confirmed |
importance: | Undecided → Critical |
assignee: | nobody → Jean-Philippe Evrard (jean-philippe-evrard) |
Attempting to start it manually does not work:
# /lib/systemd/ systemd- sysctl kptr_restrict' , ignoring: Read-only file system tcp_syncookies' , ignoring: No such file or directory hardlinks' , ignoring: Read-only file system symlinks' , ignoring: Read-only file system yama/ptrace_ scope', ignoring: Read-only file system
Couldn't write '1' to 'kernel/
Couldn't write '4 4 1 7' to 'kernel/printk', ignoring: Read-only file system
Couldn't write '1' to 'net/ipv4/
Couldn't write '1' to 'fs/protected_
Couldn't write '176' to 'kernel/sysrq', ignoring: Read-only file system
Couldn't write '1' to 'fs/protected_
Couldn't write '65536' to 'vm/mmap_min_addr', ignoring: Read-only file system
Couldn't write '1' to 'kernel/
So it seems the condition is correct, I guess something to be aware of if we containerize services that apply sysctl using the ansible modules, because the sysctl will not be persistent across container reboots.
One example where this has major impact is for people attempting to containerize haproxy, since it means the nonlocal_bind sysctl will not be persistent across boots and it can cause unpredictable behavior with keepalived/haproxy.