Kubelet sets kernel overcommit_memory flag

pkg/kubelet/container_manager_linux.go

@@ -38,6 +38,7 @@ import (
 	"k8s.io/kubernetes/pkg/util/mount"
 	"k8s.io/kubernetes/pkg/util/oom"
 	"k8s.io/kubernetes/pkg/util/sets"
+	utilsysctl "k8s.io/kubernetes/pkg/util/sysctl"
 )
 
 const (
@@ -141,10 +142,37 @@ func createManager(containerName string) *fs.Manager {
 	}
 }
 
+const sysctlVmOvercommitMemory = "vm/overcommit_memory"
+
+// disableKernelMemoryOvercommitHandling tells the kernel to perform no memory over-commit handling.
+// Under this setting, the potential for memory overload is increased, but so is performance for
+// memory-intensive tasks
+// sets /proc/sys/vm/overcommit_memory to 1
+func disableKernelMemoryOvercommitHandling() error {
+	val, err := utilsysctl.GetSysctl(sysctlVmOvercommitMemory)
+	if err != nil {
+		return err
+	}
+	if val == 1 {
+		return nil
+	}
+	glog.V(2).Infof("Updating kernel memory overcommit flag from %v to %v", val, 1)
+	err = utilsysctl.SetSysctl(sysctlVmOvercommitMemory, 1)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func (cm *containerManagerImpl) setupNode() error {
 	if err := validateSystemRequirements(cm.mountUtil); err != nil {
 		return err
 	}
+
+	if err := disableKernelMemoryOvercommitHandling(); err != nil {
+		return err
+	}
+
 	systemContainers := []*systemContainer{}
 	if cm.dockerDaemonContainerName != "" {
 		cont := newSystemContainer(cm.dockerDaemonContainerName)

pkg/proxy/iptables/proxier.go

@@ -25,9 +25,7 @@ import (
 	"crypto/sha256"
 	"encoding/base32"
 	"fmt"
-	"io/ioutil"
 	"net"
-	"path"
 	"reflect"
 	"strconv"
 	"strings"
@@ -43,6 +41,7 @@ import (
 	utilexec "k8s.io/kubernetes/pkg/util/exec"
 	utiliptables "k8s.io/kubernetes/pkg/util/iptables"
 	"k8s.io/kubernetes/pkg/util/slice"
+	utilsysctl "k8s.io/kubernetes/pkg/util/sysctl"
 )
 
 // iptablesMinVersion is the minimum version of iptables for which we will use the Proxier
@@ -90,7 +89,7 @@ func ShouldUseIptablesProxier() (bool, error) {
 	// Check for the required sysctls.  We don't care about the value, just
 	// that it exists.  If this Proxier is chosen, we'll iniialize it as we
 	// need.
-	_, err = getSysctl(sysctlRouteLocalnet)
+	_, err = utilsysctl.GetSysctl(sysctlRouteLocalnet)
 	if err != nil {
 		return false, err
 	}
@@ -98,26 +97,9 @@ func ShouldUseIptablesProxier() (bool, error) {
 	return true, nil
 }
 
-const sysctlBase = "/proc/sys"
 const sysctlRouteLocalnet = "net/ipv4/conf/all/route_localnet"
 const sysctlBridgeCallIptables = "net/bridge/bridge-nf-call-iptables"
 
-func getSysctl(sysctl string) (int, error) {
-	data, err := ioutil.ReadFile(path.Join(sysctlBase, sysctl))
-	if err != nil {
-		return -1, err
-	}
-	val, err := strconv.Atoi(strings.Trim(string(data), " \n"))
-	if err != nil {
-		return -1, err
-	}
-	return val, nil
-}
-
-func setSysctl(sysctl string, newVal int) error {
-	return ioutil.WriteFile(path.Join(sysctlBase, sysctl), []byte(strconv.Itoa(newVal)), 0640)
-}
-
 // internal struct for string service information
 type serviceInfo struct {
 	clusterIP           net.IP
@@ -180,7 +162,7 @@ var _ proxy.ProxyProvider = &Proxier{}
 // will not terminate if a particular iptables call fails.
 func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod time.Duration, masqueradeAll bool) (*Proxier, error) {
 	// Set the route_localnet sysctl we need for
-	if err := setSysctl(sysctlRouteLocalnet, 1); err != nil {
+	if err := utilsysctl.SetSysctl(sysctlRouteLocalnet, 1); err != nil {
 		return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlRouteLocalnet, err)
 	}
 
@@ -188,7 +170,7 @@ func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod
 	// because we'll catch the error on the sysctl, which is what we actually
 	// care about.
 	exec.Command("modprobe", "br-netfilter").CombinedOutput()
-	if err := setSysctl(sysctlBridgeCallIptables, 1); err != nil {
+	if err := utilsysctl.SetSysctl(sysctlBridgeCallIptables, 1); err != nil {
 		glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIptables, err)
 	}
 

pkg/util/sysctl/sysctl.go

@@ -0,0 +1,44 @@
+/*
+Copyright 2015 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sysctl
+
+import (
+	"io/ioutil"
+	"path"
+	"strconv"
+	"strings"
+)
+
+const sysctlBase = "/proc/sys"
+
+// GetSysctl returns the value for the specified sysctl setting
+func GetSysctl(sysctl string) (int, error) {
+	data, err := ioutil.ReadFile(path.Join(sysctlBase, sysctl))
+	if err != nil {
+		return -1, err
+	}
+	val, err := strconv.Atoi(strings.Trim(string(data), " \n"))
+	if err != nil {
+		return -1, err
+	}
+	return val, nil
+}
+
+// SetSysctl modifies the specified sysctl flag to the new value
+func SetSysctl(sysctl string, newVal int) error {
+	return ioutil.WriteFile(path.Join(sysctlBase, sysctl), []byte(strconv.Itoa(newVal)), 0640)
+}