From ed2350569a210684b5cdb180f516d1e6b877d16f Mon Sep 17 00:00:00 2001 From: Amir Gorodetzky <62236150+amirgo1@users.noreply.github.com> Date: Fri, 11 Nov 2022 22:50:03 +0200 Subject: [PATCH] Add sysctl (#278) Signed-off-by: amirgo1 Signed-off-by: amirgo1 Co-authored-by: Peter Zhu --- charts/opensearch/CHANGELOG.md | 12 +++++++++- charts/opensearch/Chart.yaml | 2 +- charts/opensearch/README.md | 2 +- .../ci/ci-ingress-class-name-values.yaml | 11 +++++++++- .../opensearch/ci/ci-rbac-enabled-values.yaml | 10 ++++++++- charts/opensearch/ci/ci-values.yaml | 10 ++++++++- charts/opensearch/templates/statefulset.yaml | 22 ++++++++++++++++++- charts/opensearch/values.yaml | 10 ++++++++- 8 files changed, 71 insertions(+), 8 deletions(-) diff --git a/charts/opensearch/CHANGELOG.md b/charts/opensearch/CHANGELOG.md index 8c9f0f55..560556e4 100644 --- a/charts/opensearch/CHANGELOG.md +++ b/charts/opensearch/CHANGELOG.md @@ -13,6 +13,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed ### Security --- +## [2.7.0] +### Added +- Add option to enable the use of `sysctlInit` to set sysctl vm.max_map_count through privileged `initContainer`. See: [Issue #87](https://github.com/opensearch-project/helm-charts/issues/87) +### Changed +### Deprecated +### Removed +### Fixed +### Security +--- ## [2.6.2] ### Added - Liveness probe for statefulset @@ -122,7 +131,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Security -[Unreleased]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.6.2...HEAD +[Unreleased]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.7.0...HEAD +[2.7.0]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.6.1...opensearch-2.7.0 [2.6.2]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.6.1...opensearch-2.6.2 [2.6.1]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.6.0...opensearch-2.6.1 [2.6.0]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.5.0...opensearch-2.6.0 diff --git a/charts/opensearch/Chart.yaml b/charts/opensearch/Chart.yaml index 5f2c0bc4..fad2ea74 100644 --- a/charts/opensearch/Chart.yaml +++ b/charts/opensearch/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.6.2 +version: 2.7.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/opensearch/README.md b/charts/opensearch/README.md index 8b89ba6e..2bfe7100 100644 --- a/charts/opensearch/README.md +++ b/charts/opensearch/README.md @@ -97,7 +97,7 @@ helm uninstall my-release | `service.transportPortName` | The name of the transport port within the service | `transport` | | `service.type` | OpenSearch [Service Types][] | `ClusterIP` | | `sidecarResources` | Allows you to set the [resources][] for the sidecar containers in the StatefulSet | {} | -| `sysctlInitContainer` | Allows you to disable the `sysctlInitContainer` if you are setting sysctl vm.max_map_count` with another method | `enabled: true` | +| `sysctlInit` | Allows you to enable the `sysctlInit` to set sysctl vm.max_map_count through privileged `initContainer`. | `enabled: false` | | `sysctlVmMaxMapCount` | Sets the [vm.max_map_count][] needed for OpenSearch | `262144` | | `terminationGracePeriod` | The [terminationGracePeriod][] in seconds used when trying to stop the pod | `120` | | `tolerations` | Configurable [tolerations][] | `[]` | diff --git a/charts/opensearch/ci/ci-ingress-class-name-values.yaml b/charts/opensearch/ci/ci-ingress-class-name-values.yaml index fc41b812..2223f5bf 100644 --- a/charts/opensearch/ci/ci-ingress-class-name-values.yaml +++ b/charts/opensearch/ci/ci-ingress-class-name-values.yaml @@ -407,11 +407,20 @@ networkPolicy: # please use the above podSecurityContext.fsGroup instead fsGroup: "" -## Set optimal sysctl's. This requires privilege. Can be disabled if +## Set optimal sysctl's through securityContext. This requires privilege. Can be disabled if ## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html) ## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ sysctl: enabled: false + +## Set optimal sysctl's through privileged initContainer. +sysctlInit: + enabled: true + # override image, which is busybox by default + # image: busybox + # override image tag, which is latest by default + # imageTag: + ## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image. plugins: enabled: false diff --git a/charts/opensearch/ci/ci-rbac-enabled-values.yaml b/charts/opensearch/ci/ci-rbac-enabled-values.yaml index 57b1acd9..42ec6231 100755 --- a/charts/opensearch/ci/ci-rbac-enabled-values.yaml +++ b/charts/opensearch/ci/ci-rbac-enabled-values.yaml @@ -407,12 +407,20 @@ networkPolicy: # please use the above podSecurityContext.fsGroup instead fsGroup: "" -## Set optimal sysctl's. This requires privilege. Can be disabled if +## Set optimal sysctl's through securityContext. This requires privilege. Can be disabled if ## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html) ## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ sysctl: enabled: false +## Set optimal sysctl's through privileged initContainer. +sysctlInit: + enabled: false + # override image, which is busybox by default + # image: busybox + # override image tag, which is latest by default + # imageTag: + ## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image. plugins: enabled: false diff --git a/charts/opensearch/ci/ci-values.yaml b/charts/opensearch/ci/ci-values.yaml index 86758b0c..c63eab66 100755 --- a/charts/opensearch/ci/ci-values.yaml +++ b/charts/opensearch/ci/ci-values.yaml @@ -394,12 +394,20 @@ networkPolicy: # please use the above podSecurityContext.fsGroup instead fsGroup: "" -## Set optimal sysctl's. This requires privilege. Can be disabled if +## Set optimal sysctl's through securityContext. This requires privilege. Can be disabled if ## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html) ## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ sysctl: enabled: false +## Set optimal sysctl's through privileged initContainer. +sysctlInit: + enabled: false + # override image, which is busybox by default + # image: busybox + # override image tag, which is latest by default + # imageTag: + ## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image. plugins: enabled: false diff --git a/charts/opensearch/templates/statefulset.yaml b/charts/opensearch/templates/statefulset.yaml index 91e17329..83b0c86c 100644 --- a/charts/opensearch/templates/statefulset.yaml +++ b/charts/opensearch/templates/statefulset.yaml @@ -220,7 +220,7 @@ spec: {{- if .Values.hostAliases }} hostAliases: {{ toYaml .Values.hostAliases | nindent 8 }} {{- end }} - {{- if or (.Values.extraInitContainers) (.Values.keystore) (.Values.persistence.enabled) }} + {{- if or (.Values.extraInitContainers) (.Values.keystore) (.Values.persistence.enabled) (.Values.sysctlInit.enabled) }} initContainers: {{- if and .Values.persistence.enabled .Values.persistence.enableInitChown }} - name: fsgroup-volume @@ -236,6 +236,26 @@ spec: - name: "{{ template "opensearch.uname" . }}" mountPath: {{ .Values.opensearchHome }}/data {{- end }} +{{- if .Values.sysctlInit.enabled }} + - name: sysctl + image: "{{ template "opensearch.dockerRegistry" . }}{{ .Values.sysctlInit.image | default "busybox" }}:{{ .Values.sysctlInit.imageTag | default "latest" }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + command: + - sh + - -c + - | + set -xe + DESIRED="{{ .Values.sysctlVmMaxMapCount }}" + CURRENT=$(sysctl -n vm.max_map_count) + if [ "$DESIRED" -gt "$CURRENT" ]; then + sysctl -w vm.max_map_count=$DESIRED + fi + securityContext: + runAsUser: 0 + privileged: true + resources: + {{ toYaml .Values.initResources | nindent 10 }} +{{- end }} {{ if .Values.keystore }} - name: keystore image: "{{ template "opensearch.dockerRegistry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" diff --git a/charts/opensearch/values.yaml b/charts/opensearch/values.yaml index eb5a7ea9..4534d1c6 100644 --- a/charts/opensearch/values.yaml +++ b/charts/opensearch/values.yaml @@ -427,12 +427,20 @@ networkPolicy: # please use the above podSecurityContext.fsGroup instead fsGroup: "" -## Set optimal sysctl's. This requires privilege. Can be disabled if +## Set optimal sysctl's through securityContext. This requires privilege. Can be disabled if ## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html) ## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ sysctl: enabled: false +## Set optimal sysctl's through privileged initContainer. +sysctlInit: + enabled: false + # override image, which is busybox by default + # image: busybox + # override image tag, which is latest by default + # imageTag: + ## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image. plugins: enabled: false