From e0f3a328a11ed16b14ae99438f0ec0d80dce004d Mon Sep 17 00:00:00 2001 From: Simon Croome Date: Thu, 8 Oct 2020 16:08:06 +0100 Subject: [PATCH 1/3] Don't conflict with kubecover kind clusters --- e2e.sh | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/e2e.sh b/e2e.sh index a743311..4767e95 100755 --- a/e2e.sh +++ b/e2e.sh @@ -2,6 +2,8 @@ set -Eeuxo pipefail +cluster="init" + prepare_host() { sudo apt -y update sudo apt -y install linux-modules-extra-$(uname -r) @@ -18,12 +20,14 @@ run_kind() { curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/"${K8S_VERSION}"/bin/linux/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/ echo - echo "Create Kubernetes cluster with kind..." - # kind create cluster --image=kindest/node:"$K8S_VERSION" - kind create cluster --image storageos/kind-node:"$K8S_VERSION" --name kind-1 + if [ $(kind get clusters | grep -c ^$cluster$) -eq 0 ]; then + echo "Create Kubernetes cluster with kind..." + # kind create cluster --image=kindest/node:"$K8S_VERSION" + kind create cluster --image storageos/kind-node:"$K8S_VERSION" --name "$cluster" + fi echo "Export kubeconfig..." - kind get kubeconfig --name="kind-1" > kubeconfig.yaml + kind get kubeconfig --name="$cluster" > kubeconfig.yaml export KUBECONFIG="kubeconfig.yaml" echo @@ -50,7 +54,7 @@ main() { echo # Copy the init container image into KinD. - x=$(docker ps -f name=kind-1-control-plane -q) + x=$(docker ps -f name=${cluster}-control-plane -q) docker save storageos/init:test > init.tar docker cp init.tar $x:/init.tar @@ -82,6 +86,7 @@ main() { echo "Checking init container exit code" exitCode=$(kubectl get pod $stospod --no-headers -o go-template='{{(index .status.initContainerStatuses 0).state.terminated.exitCode}}') + kubectl delete -f daemonset.yaml if [ "$exitCode" == "0" ]; then echo "init successful!" exit 0 From fc7bbec106fb0c31ea8c76a6ff6220673740747e Mon Sep 17 00:00:00 2001 From: Simon Croome Date: Thu, 8 Oct 2020 16:09:03 +0100 Subject: [PATCH 2/3] Add mx pids limit check --- daemonset.yaml | 4 +++ scripts/02-limits/limits.sh | 69 +++++++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100755 scripts/02-limits/limits.sh diff --git a/daemonset.yaml b/daemonset.yaml index ad240f2..21f36ba 100644 --- a/daemonset.yaml +++ b/daemonset.yaml @@ -73,6 +73,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: MINIMUM_MAX_PIDS_LIMIT + value: "1024" + - name: RECOMMENDED_MAX_PIDS_LIMIT + value: "4096" volumeMounts: - name: kernel-modules mountPath: /lib/modules diff --git a/scripts/02-limits/limits.sh b/scripts/02-limits/limits.sh new file mode 100755 index 0000000..9f08bd3 --- /dev/null +++ b/scripts/02-limits/limits.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +set -e + +# For a directory containeing the cgroup slice information, return the value of +# pids.max, or 0 if set to "max". Return -1 exit code if the file doesn't exist. +function read_max_pids() { + if [ ! -f ${1}/pids.max ]; then + return -1 + fi + local max_pids=$(<${1}/pids.max) + if [ $max_pids == "max" ]; then + echo 0 + return + fi + echo $max_pids +} + +default_max_pids_limit=999999999 +max_pids_limit=$default_max_pids_limit +dirprefix="/sys/fs/cgroup/pids" + +for cg in $(grep :pids: /proc/self/cgroup); do + # Parse out the slice field from the cgroup output. + # :: + dirsuffix=$(echo "$cg" | awk -F\: '{print $3}') + + # The slice field can have a prefix that is not part of the directory path. + # This must be stripped iteratively until we find the valid slice directory. + while [ ! -d "${dirprefix}/${dirsuffix}" ]; do + dirsuffix=${dirsuffix#*/} + done + dir="${dirprefix}/${dirsuffix}" + + # Start at the current cgroup and traverse up the directory hierarchy + # reading max.pids in each. The lowest value will be the effective max.pids + # value. + while [ -f "${dir}/pids.max" ]; do + max_pids=$(read_max_pids "${dir}") + if [[ $max_pids -gt 0 && $max_pids -lt $max_pids_limit ]]; then + max_pids_limit=$max_pids + fi + dir="${dir}/.." + done +done + +# TBC: Don't fail if we can't determine limit. +if [ $max_pids_limit -eq $default_max_pids_limit ]; then + echo "WARNING: Unable to determine effective max.pids limit" + exit 0 +fi + +# Fail if MINIMUM_MAX_PIDS_LIMIT is set and is greater than current limit. +if [[ -n "${MINIMUM_MAX_PIDS_LIMIT}" && $MINIMUM_MAX_PIDS_LIMIT -gt $max_pids_limit ]]; then + echo "ERROR: Effective max.pids limit ($max_pids_limit) less than MINIMUM_MAX_PIDS_LIMIT ($MINIMUM_MAX_PIDS_LIMIT)" + exit 1 +fi + +if [ -n "${RECOMMENDED_MAX_PIDS_LIMIT}" ]; then + if [ $RECOMMENDED_MAX_PIDS_LIMIT -gt $max_pids_limit ]; then + echo "WARNING: Effective max.pids limit ($max_pids_limit) less than RECOMMENDED_MAX_PIDS_LIMIT ($RECOMMENDED_MAX_PIDS_LIMIT)" + else + echo "SUCCESS: Effective max.pids limit ($max_pids_limit) at least RECOMMENDED_MAX_PIDS_LIMIT ($RECOMMENDED_MAX_PIDS_LIMIT)" + fi + exit 0 +fi + +# No requirements set, just output current limit. +echo "Effective max.pids limit: $max_pids_limit" From 069fe831b89173b21985fbaaa2ecdb20dbb1f7bf Mon Sep 17 00:00:00 2001 From: Simon Croome Date: Tue, 13 Oct 2020 16:07:44 +0100 Subject: [PATCH 3/3] Change OK message --- scripts/02-limits/limits.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/02-limits/limits.sh b/scripts/02-limits/limits.sh index 9f08bd3..abcb980 100755 --- a/scripts/02-limits/limits.sh +++ b/scripts/02-limits/limits.sh @@ -60,7 +60,7 @@ if [ -n "${RECOMMENDED_MAX_PIDS_LIMIT}" ]; then if [ $RECOMMENDED_MAX_PIDS_LIMIT -gt $max_pids_limit ]; then echo "WARNING: Effective max.pids limit ($max_pids_limit) less than RECOMMENDED_MAX_PIDS_LIMIT ($RECOMMENDED_MAX_PIDS_LIMIT)" else - echo "SUCCESS: Effective max.pids limit ($max_pids_limit) at least RECOMMENDED_MAX_PIDS_LIMIT ($RECOMMENDED_MAX_PIDS_LIMIT)" + echo "OK: Effective max.pids limit ($max_pids_limit) at least RECOMMENDED_MAX_PIDS_LIMIT ($RECOMMENDED_MAX_PIDS_LIMIT)" fi exit 0 fi