sysctl max inotify watch number is not updated on the host when k8s master is deployed in an LXD container
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Incomplete
|
Undecided
|
Harry Pidcock | ||
Kubernetes Control Plane Charm |
Triaged
|
Medium
|
Unassigned | ||
Kubernetes Worker Charm |
Triaged
|
Medium
|
Unassigned |
Bug Description
Kubernetes-master has a sysctl option which allows configuration of several parameters, including fs.inotify.
The default template for deploying kubernetes is to deploy k8s-master in lxd containers. When doing so, the value is not updated on the host, which leads to the host not being able to spin up new containers. The fact that the config option exists on k8s-master leads the user to believe this value is set on the host, when in reality it is not.
Here follows an example of what is seen on a system where the limit has not been increased. The new LXD containers do not get an IP address.
ubuntu@
+------
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+------
| juju-2addd2-0-lxd-0 | RUNNING | 192.168.20.33 (eth0) | | CONTAINER | 0 |
+------
| juju-2addd2-0-lxd-1 | RUNNING | 192.168.20.124 (eth1) | | CONTAINER | 0 |
| | | 138.26.125.136 (eth0) | | | |
+------
| juju-2addd2-0-lxd-2 | RUNNING | 192.168.20.66 (eth1) | | CONTAINER | 0 |
| | | 192.168.20.209 (eth1) | | | |
| | | 138.26.125.244 (eth0) | | | |
| | | 138.26.125.135 (eth0) | | | |
+------
| juju-2addd2-0-lxd-3 | RUNNING | 192.168.20.187 (eth1) | | CONTAINER | 0 |
| | | 138.26.125.137 (eth0) | | | |
| | | 10.128.196.192 (vxlan.calico) | | | |
+------
| juju-2addd2-0-lxd-4 | RUNNING | 192.168.20.150 (eth0) | | CONTAINER | 0 |
+------
| juju-2addd2-0-lxd-5 | RUNNING | | | CONTAINER | 0 |
+------
| juju-2addd2-0-lxd-6 | RUNNING | | | CONTAINER | 0 |
+------
$ tail /var/log/syslog
Mar 29 15:40:41 k8s-control-03 systemd[1]: user-1000.slice: Failed to add control inotify watch descriptor for control group /user.slice/
Mar 29 15:40:41 k8s-control-03 systemd[1]: Created slice User Slice of UID 1000.
Mar 29 15:40:41 k8s-control-03 systemd[1]: user-runtime-
Mar 29 15:40:41 k8s-control-03 systemd[1]: Starting User Runtime Directory /run/user/1000...
Mar 29 15:40:41 k8s-control-03 systemd[1]: Finished User Runtime Directory /run/user/1000.
Mar 29 15:40:41 k8s-control-03 systemd[1]: user@1000.service: Failed to add control inotify watch descriptor for control group /user.slice/
Mar 29 15:40:41 k8s-control-03 systemd[1]: Starting User Manager for UID 1000...
Mar 29 15:40:41 k8s-control-03 systemd[382967]: Reached target Paths.
Mar 29 15:40:41 k8s-control-03 systemd[382967]: Reached target Timers.
Mar 29 15:40:41 k8s-control-03 systemd[382967]: Starting D-Bus User Message Bus Socket.
Mar 29 15:40:41 k8s-control-03 systemd[382967]: Listening on GnuPG network certificate management daemon.
Mar 29 15:40:41 k8s-control-03 systemd[382967]: Listening on GnuPG cryptographic agent and passphrase cache (access for web browsers).
Mar 29 15:40:41 k8s-control-03 systemd[382967]: Listening on GnuPG cryptographic agent and passphrase cache (restricted).
Mar 29 15:40:41 k8s-control-03 systemd[382967]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Mar 29 15:40:41 k8s-control-03 systemd[382967]: Listening on GnuPG cryptographic agent and passphrase cache.
Mar 29 15:40:41 k8s-control-03 systemd[382967]: Listening on debconf communication socket.
Mar 29 15:40:41 k8s-control-03 systemd[382967]: Listening on REST API socket for snapd user session agent.
Mar 29 15:40:41 k8s-control-03 systemd[382967]: Listening on D-Bus User Message Bus Socket.
Mar 29 15:40:41 k8s-control-03 systemd[382967]: Reached target Sockets.
Mar 29 15:40:41 k8s-control-03 systemd[382967]: Reached target Basic System.
Mar 29 15:40:41 k8s-control-03 systemd[382967]: Reached target Main User Target.
Mar 29 15:40:41 k8s-control-03 systemd[382967]: Startup finished in 88ms.
Mar 29 15:40:41 k8s-control-03 systemd[1]: Started User Manager for UID 1000.
Mar 29 15:40:41 k8s-control-03 systemd[1]: session-795.scope: Failed to add control inotify watch descriptor for control group /user.slice/
Mar 29 15:40:41 k8s-control-03 systemd[1]: Started Session 795 of user ubuntu.
Mar 29 15:41:34 k8s-control-03 systemd[1]: motd-news.service: Failed to add control inotify watch descriptor for control group /system.
Mar 29 15:41:34 k8s-control-03 systemd[1]: Starting Message of the Day...
Mar 29 15:41:35 k8s-control-03 50-motd-
Mar 29 15:41:35 k8s-control-03 50-motd-
Mar 29 15:41:35 k8s-control-03 50-motd-
Mar 29 15:41:35 k8s-control-03 systemd[1]: motd-news.service: Succeeded.
Mar 29 15:41:35 k8s-control-03 systemd[1]: Finished Message of the Day.
Mar 29 15:41:38 k8s-control-03 systemd[1]: snap.lxd.
Mar 29 15:41:38 k8s-control-03 systemd[1]: Started snap.lxd.
Mar 29 15:41:38 k8s-control-03 systemd[382967]: run-snapd-
Mar 29 15:41:38 k8s-control-03 systemd[1]: run-snapd-
Mar 29 15:41:38 k8s-control-03 systemd[382967]: tmp-snap.
Mar 29 15:41:38 k8s-control-03 systemd[1]: tmp-snap.
Changed in juju: | |
assignee: | nobody → Harry Pidcock (hpidcock) |
The kubernetes-master charm, when deployed to LXD containers, does not have write access to kernel parameters. I recommend we remove the charm's sysctl config option to prevent confusion on this front. The same applies to kubernetes-worker.
Added Juju as an affected project. If the LXD project is recommending fs.inotify. max_user_ watches= 1048576 for production environments, perhaps Juju should set it?