diff --git a/build_debian.sh b/build_debian.sh index 82626103e2..be953f51b0 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -374,59 +374,27 @@ EOF sudo sed -i 's/^ListenAddress ::/#ListenAddress ::/' $FILESYSTEM_ROOT/etc/ssh/sshd_config sudo sed -i 's/^#ListenAddress 0.0.0.0/ListenAddress 0.0.0.0/' $FILESYSTEM_ROOT/etc/ssh/sshd_config -## Config sysctl sudo mkdir -p $FILESYSTEM_ROOT/var/core + +# Config sysctl sudo augtool --autosave " set /files/etc/sysctl.conf/kernel.core_pattern '|/usr/bin/coredump-compress %e %t %p' - set /files/etc/sysctl.conf/kernel.softlockup_panic 1 set /files/etc/sysctl.conf/kernel.panic 10 set /files/etc/sysctl.conf/vm.panic_on_oom 2 set /files/etc/sysctl.conf/fs.suid_dumpable 2 - -set /files/etc/sysctl.conf/net.ipv4.conf.default.forwarding 1 -set /files/etc/sysctl.conf/net.ipv4.conf.all.forwarding 1 -set /files/etc/sysctl.conf/net.ipv4.conf.eth0.forwarding 0 - -set /files/etc/sysctl.conf/net.ipv4.conf.default.arp_accept 0 -set /files/etc/sysctl.conf/net.ipv4.conf.default.arp_announce 0 -set /files/etc/sysctl.conf/net.ipv4.conf.default.arp_filter 0 -set /files/etc/sysctl.conf/net.ipv4.conf.default.arp_notify 0 -set /files/etc/sysctl.conf/net.ipv4.conf.default.arp_ignore 0 -set /files/etc/sysctl.conf/net.ipv4.conf.all.arp_accept 0 -set /files/etc/sysctl.conf/net.ipv4.conf.all.arp_announce 1 -set /files/etc/sysctl.conf/net.ipv4.conf.all.arp_filter 0 -set /files/etc/sysctl.conf/net.ipv4.conf.all.arp_notify 1 -set /files/etc/sysctl.conf/net.ipv4.conf.all.arp_ignore 2 - -set /files/etc/sysctl.conf/net.ipv4.neigh.default.base_reachable_time_ms 1800000 -set /files/etc/sysctl.conf/net.ipv6.neigh.default.base_reachable_time_ms 1800000 -set /files/etc/sysctl.conf/net.ipv4.neigh.default.gc_thresh1 1024 -set /files/etc/sysctl.conf/net.ipv6.neigh.default.gc_thresh1 1024 -set /files/etc/sysctl.conf/net.ipv4.neigh.default.gc_thresh2 2048 -set /files/etc/sysctl.conf/net.ipv6.neigh.default.gc_thresh2 2048 -set /files/etc/sysctl.conf/net.ipv4.neigh.default.gc_thresh3 4096 -set /files/etc/sysctl.conf/net.ipv6.neigh.default.gc_thresh3 4096 - -set /files/etc/sysctl.conf/net.ipv6.conf.default.forwarding 1 -set /files/etc/sysctl.conf/net.ipv6.conf.all.forwarding 1 -set /files/etc/sysctl.conf/net.ipv6.conf.eth0.forwarding 0 - -set /files/etc/sysctl.conf/net.ipv6.conf.default.accept_dad 0 -set /files/etc/sysctl.conf/net.ipv6.conf.all.accept_dad 0 -set /files/etc/sysctl.conf/net.ipv6.conf.eth0.accept_dad 0 - -set /files/etc/sysctl.conf/net.ipv6.conf.default.keep_addr_on_down 1 -set /files/etc/sysctl.conf/net.ipv6.conf.all.keep_addr_on_down 1 -set /files/etc/sysctl.conf/net.ipv6.conf.eth0.keep_addr_on_down 1 - -set /files/etc/sysctl.conf/net.ipv4.tcp_l3mdev_accept 1 -set /files/etc/sysctl.conf/net.ipv4.udp_l3mdev_accept 1 - -set /files/etc/sysctl.conf/net.core.rmem_max 2097152 -set /files/etc/sysctl.conf/net.core.wmem_max 2097152 " -r $FILESYSTEM_ROOT +sysctl_net_cmd_string="" +while read line; do + [[ "$line" =~ ^#.*$ ]] && continue + sysctl_net_conf_key=`echo $line | awk -F '=' '{print $1}'` + sysctl_net_conf_value=`echo $line | awk -F '=' '{print $2}'` + sysctl_net_cmd_string=$sysctl_net_cmd_string"set /files/etc/sysctl.conf/$sysctl_net_conf_key $sysctl_net_conf_value"$'\n' +done < files/image_config/sysctl/sysctl-net.conf + +sudo augtool --autosave "$sysctl_net_cmd_string" -r $FILESYSTEM_ROOT + if [[ $CONFIGURED_ARCH == amd64 ]]; then # Configure mcelog to log machine checks to syslog sudo sed -i 's/^#syslog = yes/syslog = yes/' $FILESYSTEM_ROOT/etc/mcelog/mcelog.conf diff --git a/dockers/docker-database/Dockerfile.j2 b/dockers/docker-database/Dockerfile.j2 index bea4f17f2a..d666d4a219 100644 --- a/dockers/docker-database/Dockerfile.j2 +++ b/dockers/docker-database/Dockerfile.j2 @@ -37,6 +37,7 @@ COPY ["docker-database-init.sh", "/usr/local/bin/"] COPY ["database_config.json.j2", "/usr/share/sonic/templates/"] COPY ["database_global.json.j2", "/usr/share/sonic/templates/"] COPY ["files/supervisor-proc-exit-listener", "/usr/bin"] +COPY ["files/sysctl-net.conf", "/etc/sysctl.d/"] COPY ["critical_processes", "/etc/supervisor"] ENTRYPOINT ["/usr/local/bin/docker-database-init.sh"] diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2 index 0667c679b4..e8cc666779 100644 --- a/files/build_templates/docker_image_ctl.j2 +++ b/files/build_templates/docker_image_ctl.j2 @@ -91,7 +91,7 @@ function postStartAction() { {%- if docker_container_name == "database" %} if [ "$DEV" ]; then - docker exec -i database$DEV sysctl -w net.ipv6.conf.all.disable_ipv6=0 + docker exec -i database$DEV sysctl --system -e link_namespace $DEV fi diff --git a/files/image_config/sysctl/sysctl-net.conf b/files/image_config/sysctl/sysctl-net.conf new file mode 100644 index 0000000000..62fda3a8ca --- /dev/null +++ b/files/image_config/sysctl/sysctl-net.conf @@ -0,0 +1,39 @@ +# All the sysctl for ipv4/ipv6 network. +# Same will be used in host or docker namespace +# It should be provided as key=value format for parsing +net.ipv6.conf.all.disable_ipv6=0 +net.ipv4.conf.default.forwarding=1 +net.ipv4.conf.all.forwarding=1 +net.ipv4.conf.eth0.forwarding=0 +net.ipv4.conf.default.arp_accept=0 +net.ipv4.conf.default.arp_announce=0 +net.ipv4.conf.default.arp_filter=0 +net.ipv4.conf.default.arp_notify=0 +net.ipv4.conf.default.arp_ignore=0 +net.ipv4.conf.all.arp_accept=0 +net.ipv4.conf.all.arp_announce=1 +net.ipv4.conf.all.arp_filter=0 +net.ipv4.conf.all.arp_notify=1 +net.ipv4.conf.all.arp_ignore=2 +net.ipv4.neigh.default.base_reachable_time_ms=1800000 +net.ipv6.neigh.default.base_reachable_time_ms=1800000 +net.ipv4.neigh.default.gc_thresh1=1024 +net.ipv6.neigh.default.gc_thresh1=1024 +net.ipv4.neigh.default.gc_thresh2=2048 +net.ipv6.neigh.default.gc_thresh2=2048 +net.ipv4.neigh.default.gc_thresh3=4096 +net.ipv6.neigh.default.gc_thresh3=4096 +net.ipv6.conf.default.forwarding=1 +net.ipv6.conf.all.forwarding=1 +net.ipv6.conf.eth0.forwarding=0 +net.ipv6.conf.default.accept_dad=0 +net.ipv6.conf.all.accept_dad=0 +net.ipv6.conf.eth0.accept_dad=0 +net.ipv6.conf.default.keep_addr_on_down=1 +net.ipv6.conf.all.keep_addr_on_down=1 +net.ipv6.conf.eth0.keep_addr_on_down=1 +net.ipv4.tcp_l3mdev_accept=1 +net.ipv4.udp_l3mdev_accept=1 +net.core.rmem_max=2097152 +net.core.wmem_max=2097152 +net.core.somaxconn=512 diff --git a/rules/docker-database.mk b/rules/docker-database.mk index 7e372048af..4112204eea 100644 --- a/rules/docker-database.mk +++ b/rules/docker-database.mk @@ -28,4 +28,4 @@ $(DOCKER_DATABASE)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro $(DOCKER_DATABASE)_BASE_IMAGE_FILES += redis-cli:/usr/bin/redis-cli $(DOCKER_DATABASE)_BASE_IMAGE_FILES += monit_database:/etc/monit/conf.d -$(DOCKER_DATABASE)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT) +$(DOCKER_DATABASE)_FILES += $(SYSCTL_NET_CONFIG) $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT) diff --git a/rules/scripts.mk b/rules/scripts.mk index 8c6d0324fc..b3ed0cab95 100644 --- a/rules/scripts.mk +++ b/rules/scripts.mk @@ -14,10 +14,12 @@ $(QOS_CONFIG_TEMPLATE)_PATH = files/build_templates SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT = supervisor-proc-exit-listener $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)_PATH = files/scripts +SYSCTL_NET_CONFIG = sysctl-net.conf +$(SYSCTL_NET_CONFIG)_PATH = files/image_config/sysctl + SONIC_COPY_FILES += $(CONFIGDB_LOAD_SCRIPT) \ $(ARP_UPDATE_SCRIPT) \ $(BUFFERS_CONFIG_TEMPLATE) \ $(QOS_CONFIG_TEMPLATE) \ - $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT) - - + $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT) \ + $(SYSCTL_NET_CONFIG)