openshift-docs/modules/nodes-safe-sysctls-list.adoc

// Module included in the following assemblies:
//
// * nodes/containers/nodes-containers-sysctls.adoc

:_mod-docs-content-type: REFERENCE
[id="safe_and_unsafe_sysctls_{context}"]
= Safe and unsafe sysctls

Sysctls are grouped into _safe_ and _unsafe_ sysctls.

For system-wide sysctls to be considered safe, they must be namespaced. A namespaced sysctl ensures there is isolation between namespaces and therefore pods. If you set a sysctl for one pod it must not add any of the following:

- Influence any other pod on the node
- Harm the node health
- Gain CPU or memory resources outside of the resource limits of a pod

[NOTE]
====
Being namespaced alone is not sufficient for the sysctl to be considered safe.
====
Any sysctl that is not added to the allowed list on {product-title} is considered unsafe for {product-title}.

Unsafe sysctls are not allowed by default. For system-wide sysctls the cluster administrator must manually enable them on a per-node basis. Pods with disabled unsafe sysctls are scheduled but do not launch.

[NOTE]
====
You cannot manually enable interface-specific unsafe sysctls.
====

{product-title} adds the following system-wide and interface-specific safe sysctls to an allowed safe list:

.System-wide safe sysctls
[cols="30%,70%",options="header"]
|===
| sysctl | Description

| `kernel.shm_rmid_forced`
a|When set to `1`, all shared memory objects in current IPC namespace are automatically forced to use IPC_RMID. For more information, see link:https://docs.kernel.org/admin-guide/sysctl/kernel.html?highlight=shm_rmid_forced#shm-rmid-forced[shm_rmid_forced].

| `net.ipv4.ip_local_port_range`
a| Defines the local port range that is used by TCP and UDP to choose the local port. The first number is the first port number, and the second number is the last local port number. If possible, it is better if these numbers have different parity (one even and one odd value). They must be greater than or equal to `ip_unprivileged_port_start`. The default values are `32768` and `60999` respectively. For more information, see link:https://docs.kernel.org/networking/ip-sysctl.html?highlight=ip_local_port_range#ip-variables[ip_local_port_range].

| `net.ipv4.tcp_syncookies`
|When `net.ipv4.tcp_syncookies` is set, the kernel handles TCP SYN packets normally until the
half-open connection queue is full, at which time, the SYN cookie functionality kicks in. This functionality allows the system to keep accepting valid connections, even if under a denial-of-service attack. For more information, see link:https://docs.kernel.org/networking/ip-sysctl.html?highlight=tcp_syncookies#tcp-variables[tcp_syncookies].

| `net.ipv4.ping_group_range`
a| This restricts `ICMP_PROTO` datagram sockets to users in the group range. The default is `1 0`, meaning that nobody, not even root, can create ping sockets. For more information, see link:https://docs.kernel.org/networking/ip-sysctl.html?highlight=ping_group_range#ip-variables[ping_group_range].

| `net.ipv4.ip_unprivileged_port_start`
| This defines the first unprivileged port in the network namespace. To disable all privileged ports, set this to `0`. Privileged ports must not overlap with the `ip_local_port_range`. For more information, see link:https://docs.kernel.org/networking/ip-sysctl.html?highlight=ip_unprivileged_port_start#ip-variables#ip-variables[ip_unprivileged_port_start].
|===


.Interface-specific safe sysctls
[cols="30%,70%",options="header"]
|===
| sysctl | Description

| `net.ipv4.conf.IFNAME.accept_redirects`
a| Accept IPv4 ICMP redirect messages.

| `net.ipv4.conf.IFNAME.accept_source_route`
|Accept IPv4 packets with strict source route (SRR) option.

| `net.ipv4.conf.IFNAME.arp_accept`
a| Define behavior for gratuitous ARP frames with an IPv4 address that is not already present in the ARP table:

* `0` - Do not create new entries in the ARP table.

* `1` - Create new entries in the ARP table.

| `net.ipv4.conf.IFNAME.arp_notify`
| Define mode for notification of IPv4 address and device changes.

| `net.ipv4.conf.IFNAME.disable_policy`
a| Disable IPSEC policy (SPD) for this IPv4 interface.

| `net.ipv4.conf.IFNAME.secure_redirects`
a| Accept ICMP redirect messages only to gateways listed in the interface’s current gateway list.

| `net.ipv4.conf.IFNAME.send_redirects`
| Send redirects is enabled only if the node acts as a router. That is, a host should not send an ICMP redirect message. It is used by routers to notify the host about a better routing path that is available for a particular destination.

| `net.ipv6.conf.IFNAME.accept_ra`
a| Accept IPv6 Router advertisements; autoconfigure using them. It also determines whether or not to transmit router solicitations. Router solicitations are transmitted only if the functional setting is to accept router advertisements.

| `net.ipv6.conf.IFNAME.accept_redirects`
a| Accept IPv6 ICMP redirect messages.

| `net.ipv6.conf.IFNAME.accept_source_route`
a| Accept IPv6 packets with SRR option.

| `net.ipv6.conf.IFNAME.arp_accept`
a| Define behavior for gratuitous ARP frames with an IPv6 address that is not already present in the ARP table:

* `0` - Do not create new entries in the ARP table.

* `1` - Create new entries in the ARP table.

| `net.ipv6.conf.IFNAME.arp_notify`
|  Define mode for notification of IPv6 address and device changes.

| `net.ipv6.neigh.IFNAME.base_reachable_time_ms`
| This parameter controls the hardware address to IP mapping lifetime in the neighbour table for IPv6.

| `net.ipv6.neigh.IFNAME.retrans_time_ms`
| Set the retransmit timer for neighbor discovery messages.

|===

[NOTE]
====
When setting these values using the `tuning` CNI plugin, use the value `IFNAME` literally. The interface name is represented by the `IFNAME` token, and is replaced with the actual name of the interface at runtime.
====