Changing the CRI-O without Machine Config for Db2 Warehouse
Some installations of OpenShift® might not use the Machine Config operator. If your environment does not use the operator, you can still change the CRI-O configuration for Db2® Warehouse.
About this task
CRI-O allows Kubernetes to use any Open Container Initiative (OCI)-compliant runtime to run pods.
These pods share a namespace and live in the same control group (cgroup).
Procedure
-
Set CRI-O max
Pid IDto 16k or higher.- Log in to the cluster by using the OpenShift CLI, which can be downloaded from https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/.
-
From the console, click your user, and then click Copy Login
Command.
A new tab opens, and you might need to log in again.
- Click Display Token and copy the token.
-
Log in from the console.
oc login --token=xxxxxxx --server=https://api.example.com:5402 -
Run oc get no to list the nodes in your cluster.
NAME STATUS ROLES AGE VERSION 10.0.0.1 Ready master, worker 1d v1.16.2 10.0.0.2 Ready master, worker 1d v1.16.2 10.0.0.3 Ready master, worker 1d v1.16.2 -
On each of the nodes, run the oc debug command.
oc debug node/node_nameRun the following command to check the value of the pids_limit on each node.
chroot /host grep -i "pids_limit[ ]*=" /etc/crio/crio.confThe output of the command shows you the current value:
pids_limit = 231205If the line is not commented out and the value is greater than 16384, move to the next node.
If the line is commented out or the value is less than 16384, edit the file.
- Open /etc/crio/crio.conf with a text editor, for example with
Vim.
vi /etc/crio/crio.conf - Find the line
pids_limit = xxx(it might start with #) and change it topids_limit = 16384.
- Open /etc/crio/crio.conf with a text editor, for example with
Vim.
-
When all of the nodes are done, restart each node one at a time. Check to see that everything
is in good health by running the following command:
oc get no -l node-role.kubernetes.io/worker -o name
-
Enable container_manage_cgroup on the worker nodes.
Important: If your platform is OCP 4.6, then you must follow Step 2 in Changing the CRI-O with Machine Config for Db2 Warehouse instead.
- Using oc debug
- Run the following command to set container_manage_cgroup to
trueon each of the worker nodes. For clusters with 10+ nodes, use daemonset.oc get no -l node-role.kubernetes.io/worker --no-headers -o name | xargs -I {} -- oc debug {} -- bash -c 'chroot /host setsebool -P container_manage_cgroup true' - Using a daemon set
-
- Create a service account with the name
set-container-manage-cgroupby running the following command:oc create -f - <<EOFapiVersion: v1kind: ServiceAccountmetadata: name: set-container-manage-cgroup namespace: kube-systemEOF - Give the service account privileged security context constraints (SCC) by running the following
command:
oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:set-container-manage-cgroup - Create the daemon set and set the selinux boolean container_manage_cgroup
to true by running the following
command:
oc create -f - << EOF apiVersion: apps/v1 kind: DaemonSet metadata: name: set-container-manage-cgroup namespace: kube-system labels: tier: management app: set-container-manage-cgroup spec: selector: matchLabels: name: set-container-manage-cgroup template: metadata: labels: name: set-container-manage-cgroup spec: serviceAccountName: set-container-manage-cgroup initContainers: - command: - sh - -c - echo 1 > /sys1/fs/selinux/booleans/container_manage_cgroup; echo 1 > /sys1/fs/selinux/commit_pending_bools; image: alpine:3.6 imagePullPolicy: IfNotPresent name: sysctl resources: {} securityContext: privileged: true volumeMounts: - name: modifysys mountPath: /sys1 containers: - resources: requests: cpu: 0.01 image: alpine:3.6 name: sleepforever command: ["/bin/sh", "-c"] args: - > while true; do sleep 100000; done volumes: - name: modifysys hostPath: path: /sys EOF
- Create a service account with the name
Note: The container_manage_cgroup is set to the default value after a restart.