Improvments on charm hardening docs #1852
Description
Working on [0],
-
The guide seems to be geared towards make config changes to args files. The guide, being for the charm, should reflect using charm configs. Additionally it should mention that this needs to be done during deployment/bootstrap time.
-
When you apply protect kernel defaults to kubelet it can refuse to start if some of the kernel defaults are not what it expects. For example, to make it work for me, on a fresh installation of Ubuntu Noble, I had to deploy the sysconfig charm and set sysctl with
juju deploy sysconfig --base [email protected] --channel latest/stable
juju config sysconfig sysctl="{kernel.panic: 10, kernel.panic_on_oops: 1, vm.overcommit_memory: 1}"
juju integrate sysconfig k8sHowever this is not really a good way to manage sysctl configs because the sysconfig charm is not maintained [1]. It says
This charm is in maintenance mode. Critical bugs will be fixed, but new features will generally not be accepted. Please consider setting system-level configurations via a charm library: sysctl and grub.
Example of some other charms that provide sysctl directly through their own charm are nova-compute charm and ceph-osd charm
[0] https://documentation.ubuntu.com/canonical-kubernetes/latest/charm/howto/hardening/
[1] https://charmhub.io/sysconfig