sysctl: Add ApplySettings function

The new function writes sysctl settings provided as a slice. Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
xyz-li · Nov 16, 2020 · a774963 · a774963
1 parent a78f75e
commit a774963
Show file tree

Hide file tree

Showing 3 changed files with 117 additions and 32 deletions.
diff --git a/pkg/datapath/loader/base.go b/pkg/datapath/loader/base.go
@@ -118,13 +118,7 @@ func writePreFilterHeader(preFilter *prefilter.PreFilter, dir string) error {
 	return fw.Flush()
 }
 
-type setting struct {
-	name      string
-	val       string
-	ignoreErr bool
-}
-
-func addENIRules(sysSettings []setting) ([]setting, error) {
+func addENIRules(sysSettings []sysctl.Setting) ([]sysctl.Setting, error) {
 	// AWS ENI mode requires symmetric routing, see
 	// iptables.addCiliumENIRules().
 	// The default AWS daemonset installs the following rules that are used
@@ -151,10 +145,10 @@ func addENIRules(sysSettings []setting) ([]setting, error) {
 		return nil, fmt.Errorf("failed to find interface with default route: %w", err)
 	}
 
-	retSettings := append(sysSettings, setting{
-		fmt.Sprintf("net.ipv4.conf.%s.rp_filter", iface.Attrs().Name),
-		"2",
-		false,
+	retSettings := append(sysSettings, sysctl.Setting{
+		Name:      fmt.Sprintf("net.ipv4.conf.%s.rp_filter", iface.Attrs().Name),
+		Val:       "2",
+		IgnoreErr: false,
 	})
 	if err := route.ReplaceRule(route.Rule{
 		Priority: linux_defaults.RulePriorityNodeport,
@@ -180,11 +174,11 @@ func (l *Loader) Reinitialize(ctx context.Context, o datapath.BaseProgramOwner,
 
 	args = make([]string, initArgMax)
 
-	sysSettings := []setting{
-		{"net.core.bpf_jit_enable", "1", true},
-		{"net.ipv4.conf.all.rp_filter", "0", false},
-		{"kernel.unprivileged_bpf_disabled", "1", true},
-		{"kernel.timer_migration", "0", true},
+	sysSettings := []sysctl.Setting{
+		{Name: "net.core.bpf_jit_enable", Val: "1", IgnoreErr: true},
+		{Name: "net.ipv4.conf.all.rp_filter", Val: "0", IgnoreErr: false},
+		{Name: "kernel.unprivileged_bpf_disabled", Val: "1", IgnoreErr: true},
+		{Name: "kernel.timer_migration", Val: "0", IgnoreErr: true},
 	}
 
 	// Lock so that endpoints cannot be built while we are compile base programs.
@@ -241,7 +235,7 @@ func (l *Loader) Reinitialize(ctx context.Context, o datapath.BaseProgramOwner,
 		// interface (https://github.com/docker/libnetwork/issues/1720)
 		// Enable IPv6 for now
 		sysSettings = append(sysSettings,
-			setting{"net.ipv6.conf.all.disable_ipv6", "0", false})
+			sysctl.Setting{Name: "net.ipv6.conf.all.disable_ipv6", Val: "0", IgnoreErr: false})
 	} else {
 		args[initArgIPv6NodeIP] = "<nil>"
 	}
@@ -362,21 +356,7 @@ func (l *Loader) Reinitialize(ctx context.Context, o datapath.BaseProgramOwner,
 		}
 	}
 
-	for _, s := range sysSettings {
-		log.WithFields(logrus.Fields{
-			logfields.SysParamName:  s.name,
-			logfields.SysParamValue: s.val,
-		}).Info("Setting sysctl")
-		if err := sysctl.Write(s.name, s.val); err != nil {
-			if !s.ignoreErr {
-				return fmt.Errorf("Failed to sysctl -w %s=%s: %s", s.name, s.val, err)
-			}
-			log.WithError(err).WithFields(logrus.Fields{
-				logfields.SysParamName:  s.name,
-				logfields.SysParamValue: s.val,
-			}).Warning("Failed to sysctl -w")
-		}
-	}
+	sysctl.ApplySettings(sysSettings)
 
 	for i, arg := range args {
 		if arg == "" {

diff --git a/pkg/sysctl/sysctl.go b/pkg/sysctl/sysctl.go
@@ -21,12 +21,31 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+
+	"github.com/cilium/cilium/pkg/logging"
+	"github.com/cilium/cilium/pkg/logging/logfields"
+
+	"github.com/sirupsen/logrus"
 )
 
 const (
+	Subsystem = "sysctl"
+
 	prefixDir = "/proc/sys"
 )
 
+var (
+	log = logging.DefaultLogger.WithField(logfields.LogSubsys, Subsystem)
+)
+
+// Setting represents a sysctl setting. Its purpose it to be able to iterate
+// over a slice of settings.
+type Setting struct {
+	Name      string
+	Val       string
+	IgnoreErr bool
+}
+
 func fullPath(name string) string {
 	return filepath.Join(prefixDir, strings.Replace(name, ".", "/", -1))
 }
@@ -71,3 +90,23 @@ func Read(name string) (string, error) {
 
 	return strings.TrimRight(string(val), "\n"), nil
 }
+
+func ApplySettings(sysSettings []Setting) error {
+	for _, s := range sysSettings {
+		log.WithFields(logrus.Fields{
+			logfields.SysParamName:  s.Name,
+			logfields.SysParamValue: s.Val,
+		}).Info("Setting sysctl")
+		if err := Write(s.Name, s.Val); err != nil {
+			if !s.IgnoreErr {
+				return fmt.Errorf("Failed to sysctl -w %s=%s: %s", s.Name, s.Val, err)
+			}
+			log.WithError(err).WithFields(logrus.Fields{
+				logfields.SysParamName:  s.Name,
+				logfields.SysParamValue: s.Val,
+			}).Warning("Failed to sysctl -w")
+		}
+	}
+
+	return nil
+}
diff --git a/pkg/sysctl/sysctl_linux_privileged_test.go b/pkg/sysctl/sysctl_linux_privileged_test.go
@@ -115,3 +115,69 @@ func (s *SysctlLinuxPrivilegedTestSuite) TestDisableEnable(c *C) {
 		}
 	}
 }
+
+func (s *SysctlLinuxPrivilegedTestSuite) TestApplySettings(c *C) {
+	testCases := []struct {
+		settings    []Setting
+		expectedErr bool
+	}{
+		{
+			settings: []Setting{
+				{
+					Name:      "net.ipv4.ip_forward",
+					Val:       "1",
+					IgnoreErr: false,
+				},
+				{
+					Name:      "net.ipv4.conf.all.forwarding",
+					Val:       "1",
+					IgnoreErr: false,
+				},
+				{
+					Name:      "net.ipv6.conf.all.forwarding",
+					Val:       "1",
+					IgnoreErr: false,
+				},
+			},
+			expectedErr: false,
+		},
+		{
+			settings: []Setting{
+				{
+					Name:      "net.ipv4.ip_forward",
+					Val:       "1",
+					IgnoreErr: false,
+				},
+				{
+					Name:      "foo.bar",
+					Val:       "1",
+					IgnoreErr: false,
+				},
+			},
+			expectedErr: true,
+		},
+		{
+			settings: []Setting{
+				{
+					Name:      "net.ipv4.ip_forward",
+					Val:       "1",
+					IgnoreErr: false,
+				},
+				{
+					Name:      "foo.bar",
+					Val:       "1",
+					IgnoreErr: true,
+				},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		err := ApplySettings(tc.settings)
+		if tc.expectedErr {
+			c.Assert(err, NotNil)
+		} else {
+			c.Assert(err, IsNil)
+		}
+	}
+}