Skip to content

feat(sysctl): add reapply_sysctl_exclude option #817

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mattmattox wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat(sysctl): add reapply_sysctl_exclude option #817

mattmattox wants to merge 1 commit into from

Conversation

@mattmattox
Copy link

@mattmattox mattmattox commented Dec 16, 2025

Summary

When reapply_sysctl=1 (default), TuneD re-applies all system sysctl settings from /run/sysctl.d/, /etc/sysctl.d/, and /etc/sysctl.conf after profile switches. This breaks Kubernetes overlay networking because CNI plugins set net.ipv4.ip_forward=1 at runtime, which gets overwritten by static /etc/sysctl.d/ files.

This PR adds a reapply_sysctl_exclude configuration option to protect specific sysctls from reapplication while maintaining backward compatibility.

Changes

  • tuned/consts.py: Add CFG_REAPPLY_SYSCTL_EXCLUDE constant and default (empty list)
  • tuned/plugins/plugin_sysctl.py: Add _is_sysctl_excluded() method using fnmatch for wildcard pattern matching, integrate into _apply_sysctl_config_line()
  • tuned-main.conf: Add commented configuration option with documentation
  • man/tuned-main.conf.5: Add man page entry with examples

Features

  • Comma or semicolon-separated list of sysctl patterns
  • Shell-style wildcards support (*, ?, [seq]) via Python's fnmatch
  • Empty default preserves backward compatibility
  • Debug logging when sysctls are skipped

Example Configuration

# For Kubernetes nodes:
reapply_sysctl_exclude = net.ipv4.ip_forward, net.ipv6.conf.*.forwarding, net.bridge.bridge-nf-call-iptables

Test Plan

  • Verify pattern matching works with wildcards (e.g., net.ipv6.conf.*.forwarding)
  • Verify exact matches work (e.g., net.ipv4.ip_forward)
  • Verify sysctls NOT in the exclude list are still applied
  • Verify empty config (default) maintains current behavior
  • Verify debug logging when sysctls are skipped

Related Issue

Fixes #816

@mattmattox
feat(sysctl): add reapply_sysctl_exclude option
4e30052 
When reapply_sysctl=1 (default), TuneD re-applies all system sysctl
settings after profile switches. This breaks Kubernetes overlay
networking because CNI plugins set net.ipv4.ip_forward=1 at runtime,
which gets overwritten by static /etc/sysctl.d/ files.

Add reapply_sysctl_exclude config option to protect specific sysctls
from reapplication while maintaining backward compatibility. Supports
shell-style wildcards via fnmatch.

Example config for Kubernetes:
  reapply_sysctl_exclude = net.ipv4.ip_forward, net.ipv6.conf.*.forwarding

Fixes: redhat-performance#816
Signed-off-by: Matthew Mattox <mmattox@support.tools>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TuneD breaks Kubernetes overlay networking when reapply_sysctl is enabled

1 participant

@mattmattox