System containers deployed with Sysbox do not currently support the Linux IP Virtual Server (IPVS).
Even though I confirmed IPVS is namespaced in the Linux kernel via the network ns, it appears that within the system container processes don't have the required permission to configure IPVS via the kernel's netlink interface:
root@manager:/# ipvsadm --help
Can't initialize ipvs: No space left on device
Are you sure that IP Virtual Server is built in the kernel or as module?
The strace for ipvsadm shows an EPERM in the netlink ipvs msg exchange causes this error.
In addition, the sysctls for IPVS are much reduced inside the system container (compared to the host):
root@manager:/# ls -l /proc/sys/net/ipv4/vs
total 0
-rw-r--r-- 1 root root 0 Oct 10 20:04 conn_reuse_mode
-rw-r--r-- 1 root root 0 Oct 10 19:23 conntrack
-rw-r--r-- 1 root root 0 Oct 10 19:22 expire_nodest_conn
-rw-r--r-- 1 root root 0 Oct 10 20:04 expire_quiescent_template
Host:
cesar@eoan:~$ ls -l /proc/sys/net/ipv4/vs
total 0
-rw-r--r-- 1 root root 0 Oct 10 13:04 am_droprate
-rw-r--r-- 1 root root 0 Oct 10 13:04 amemthresh
-rw-r--r-- 1 root root 0 Oct 10 13:04 backup_only
-rw-r--r-- 1 root root 0 Oct 10 13:04 cache_bypass
-rw-r--r-- 1 root root 0 Oct 10 13:04 conn_reuse_mode
-rw-r--r-- 1 root root 0 Oct 10 12:23 conntrack
-rw-r--r-- 1 root root 0 Oct 10 13:04 drop_entry
-rw-r--r-- 1 root root 0 Oct 10 13:04 drop_packet
-rw-r--r-- 1 root root 0 Oct 10 12:22 expire_nodest_conn
-rw-r--r-- 1 root root 0 Oct 10 13:04 expire_quiescent_template
-rw-r--r-- 1 root root 0 Oct 10 13:04 ignore_tunneled
-rw-r--r-- 1 root root 0 Oct 10 13:04 nat_icmp_send
-rw-r--r-- 1 root root 0 Oct 10 13:04 pmtu_disc
-rw-r--r-- 1 root root 0 Oct 10 13:04 schedule_icmp
-rw-r--r-- 1 root root 0 Oct 10 13:04 secure_tcp
-rw-r--r-- 1 root root 0 Oct 10 13:04 sloppy_sctp
-rw-r--r-- 1 root root 0 Oct 10 13:04 sloppy_tcp
-rw-r--r-- 1 root root 0 Oct 10 13:04 snat_reroute
-rw-r--r-- 1 root root 0 Oct 10 13:04 sync_persist_mode
-rw-r--r-- 1 root root 0 Oct 10 13:04 sync_ports
-rw-r--r-- 1 root root 0 Oct 10 13:04 sync_qlen_max
-rw-r--r-- 1 root root 0 Oct 10 13:04 sync_refresh_period
-rw-r--r-- 1 root root 0 Oct 10 13:04 sync_retries
-rw-r--r-- 1 root root 0 Oct 10 13:04 sync_sock_size
-rw-r--r-- 1 root root 0 Oct 10 13:04 sync_threshold
-rw-r--r-- 1 root root 0 Oct 10 13:04 sync_version
This needs further investigation and it appears a fix would require a significant amount of work, given that the netlink interface uses sockets for communication, so we would need to intercept some of those accesses in Sysbox but we want to do so without affecting the performance of other socket related traffic.
System containers deployed with Sysbox do not currently support the Linux IP Virtual Server (IPVS).
Even though I confirmed IPVS is namespaced in the Linux kernel via the network ns, it appears that within the system container processes don't have the required permission to configure IPVS via the kernel's netlink interface:
The strace for
ipvsadm
shows an EPERM in the netlink ipvs msg exchange causes this error.In addition, the sysctls for IPVS are much reduced inside the system container (compared to the host):
This needs further investigation and it appears a fix would require a significant amount of work, given that the netlink interface uses sockets for communication, so we would need to intercept some of those accesses in Sysbox but we want to do so without affecting the performance of other socket related traffic.