Containers-roadmap: [Fargate] [request]: Fargate sysctls support

Created on 2 Sep 2019  路  9Comments  路  Source: aws/containers-roadmap

Tell us about your request
Add systemControls support for Fargate.

Which service(s) is this request for?
ECS, Fargate

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
I think sysctls can be useful in general. They cannot be applied within the OS itself due to lack of permissions, and Fargate doesn't allow privileged mode nor adding Linux capabilities.

I'd like to tune the net.ipv4.tcp_keepalive_time sysctl for my Fargate containers. The reason is a bit unusual, but here goes:

  • I want to set the TCP keepalive time to 290 seconds. The Linux default is 7200 seconds.
  • I'm behind a Cisco Meraki appliance that has a fixed 300-second NAT timeout for TCP connections (confirmed with Cisco support).
  • The Fargate task runs HAProxy, which can only disable/enable TCP keepalives; it cannot tune the parameters. (Making a feature request shortly.)
  • I'd like to have the server do the frequent TCP keepalives, instead of pushing that requirement onto every client.

Are you currently working around this issue?
Two ways: Filing a request with HAProxy; and adding client-initiated frequent TCP keepalives where possible, which sadly doesn't cover all my cases.

Fargate Proposed
Source
picture sveniu
👍37

Most helpful comment

Yes this is a huge blocker for me as I need to set net.somaxcons to a higher number and a few other sysctl settings, ecs allows you to do this but not fargate...

picture Cody0713 on 14 Dec 2019
👍8

All 9 comments

Can we disable TCP keepalives in fargate tasks?

chaithanya77 picture chaithanya77 on 10 Sep 2019

Can we disable TCP keepalives in fargate tasks?

Probably not. Note that TCP sockets don't have keep-alive enabled by default. The application will have to make an explicit call to setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, ... to enable it (followed by additional setsockopt calls to modify the TCP keep-alive parameters).

I'm curious what the use case is for explicitly disabling TCP keep-alives - what is the scenario?

sveniu picture sveniu on 12 Sep 2019

I would also love to see Fargate support sysctl settings, albeit for a different use case.

jackm-ts picture jackm-ts on 10 Oct 2019

+1 鉂わ笍

YukSeungChan picture YukSeungChan on 11 Nov 2019

Yes this is a huge blocker for me as I need to set net.somaxcons to a higher number and a few other sysctl settings, ecs allows you to do this but not fargate...

Cody0713 picture Cody0713 on 14 Dec 2019
👍8

++ 馃憤

marnie-eure picture marnie-eure on 16 Dec 2019
👍3

Another vote for me. Maxing out the connections at 128 means I likely have to abandon Fargate and go back to ECS, which does let us adjust sysctl settings.

andreburto picture andreburto on 31 Jan 2020
👀6 👍2

We would like to set kernel.perf_event_paranoid to be able to collect CPU traces using perf

skolmer picture skolmer on 14 May 2020

Our use case related to https://github.com/SonarSource/docker-sonarqube/issues/282 and the ability to set vm.max_map_count (the issue provide a workaround).

fischaz picture fischaz on 27 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tabern picture tabern  路  3Comments
miztch picture miztch  路  3Comments
yinshiua picture yinshiua  路  3Comments
talawahtech picture talawahtech  路  3Comments
yavor-atanasov picture yavor-atanasov  路  3Comments