openshift-docs/modules/nodes-containers-sysctls-setting.adoc

// Module included in the following assemblies:
//
// * nodes/containers/nodes-containers-sysctls.adoc

[id="nodes-containers-sysctls-setting_{context}"]
= Setting sysctls for a pod

You can set sysctls on pods using the pod's `securityContext`. The `securityContext`
applies to all containers in the same pod.

Safe sysctls are allowed by default. A pod with unsafe sysctls fails 
to launch on any node unless the cluster administrator explicitly enables unsafe sysctls for 
that node. As with node-level sysctls, use the taints and toleration feature 
or labels on nodes to schedule those pods onto the right nodes.

The following example uses the pod `securityContext` to set a safe sysctl
`kernel.shm_rmid_forced` and two unsafe sysctls, `net.ipv4.route.min_pmtu` and
`kernel.msgmax`. There is no distinction between _safe_ and _unsafe_ sysctls in
the specification.

[WARNING]
====
To avoid destabilizing your operating system, modify sysctl parameters only 
after you understand their effects.
====

.Procedure

To use safe and unsafe sysctls:

. Modify the YAML file that defines the pod and add the `securityContext` spec, as
shown in the following example:
+
[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: sysctl-example
spec:
  securityContext:
    sysctls:
    - name: kernel.shm_rmid_forced
      value: "0"
    - name: net.ipv4.route.min_pmtu
      value: "552"
    - name: kernel.msgmax
      value: "65536"
  ...
----

. Create the pod:
+
[source,terminal]
----
$ oc apply -f <file-name>.yaml
----
+
If the unsafe sysctls are not allowed for the node, the pod is scheduled, 
but does not deploy:
+
[source,terminal]
----
$ oc get pod
----
+
.Example output
[source,terminal]
----
NAME        READY   STATUS            RESTARTS   AGE
hello-pod   0/1     SysctlForbidden   0          14s
----