@@ -146,6 +146,52 @@ pve_check() {
146146fi
147147}
148148
149+ # When a node is running tens of containers, it's possible to exceed the kernel's cryptographic key storage allocations.
150+ # These are tuneable, so verify if the currently deployment is approaching the limits, advise the user on how to tune the limits, and exit the script.
151+ # https://cleveruptime.com/docs/files/proc-key-users | https://docs.kernel.org/security/keys/core.html
152+ maxkeys_check() {
153+ # Read kernel parameters
154+ per_user_maxkeys=$(cat /proc/sys/kernel/keys/maxkeys 2>/dev/null || echo 0)
155+ per_user_maxbytes=$(cat /proc/sys/kernel/keys/maxbytes 2>/dev/null || echo 0)
156+
157+ # Exit if kernel parameters are unavailable
158+ if [[ "$per_user_maxkeys" -eq 0 || "$per_user_maxbytes" -eq 0 ]]; then
159+ echo -e "${CROSS}${RD} Error: Unable to read kernel parameters. Ensure proper permissions.${CL}"
160+ exit 1
161+ fi
162+
163+ # Fetch key usage for user ID 100000 (typical for containers)
164+ used_lxc_keys=$(awk '/100000:/ {print $2}' /proc/key-users 2>/dev/null || echo 0)
165+ used_lxc_bytes=$(awk '/100000:/ {split($5, a, "/"); print a[1]}' /proc/key-users 2>/dev/null || echo 0)
166+
167+ # Calculate thresholds and suggested new limits
168+ threshold_keys=$((per_user_maxkeys - 100))
169+ threshold_bytes=$((per_user_maxbytes - 1000))
170+ new_limit_keys=$((per_user_maxkeys * 2))
171+ new_limit_bytes=$((per_user_maxbytes * 2))
172+
173+ # Check if key or byte usage is near limits
174+ failure=0
175+ if [[ "$used_lxc_keys" -gt "$threshold_keys" ]]; then
176+ echo -e "${CROSS}${RD} Warning: Key usage is near the limit (${used_lxc_keys}/${per_user_maxkeys}).${CL}"
177+ echo -e "${INFO} Suggested action: Set ${GN}kernel.keys.maxkeys=${new_limit_keys}${CL} in ${BOLD}/etc/sysctl.d/98-community-scripts.conf${CL}."
178+ failure=1
179+ fi
180+ if [[ "$used_lxc_bytes" -gt "$threshold_bytes" ]]; then
181+ echo -e "${CROSS}${RD} Warning: Key byte usage is near the limit (${used_lxc_bytes}/${per_user_maxbytes}).${CL}"
182+ echo -e "${INFO} Suggested action: Set ${GN}kernel.keys.maxbytes=${new_limit_bytes}${CL} in ${BOLD}/etc/sysctl.d/98-community-scripts.conf${CL}."
183+ failure=1
184+ fi
185+
186+ # Provide next steps if issues are detected
187+ if [[ "$failure" -eq 1 ]]; then
188+ echo -e "${INFO} To apply changes, run: ${BOLD}service procps force-reload${CL}"
189+ exit 1
190+ fi
191+
192+ echo -e "${CM}${GN} All kernel key limits are within safe thresholds.${CL}"
193+ }
194+
149195# This function checks the system architecture and exits if it's not "amd64".
150196arch_check() {
151197 if [ "$(dpkg --print-architecture)" != "amd64" ]; then
@@ -687,6 +733,7 @@ install_script() {
687733 root_check
688734 arch_check
689735 ssh_check
736+ maxkeys_check
690737
691738 if systemctl is-active -q ping-instances.service; then
692739 systemctl -q stop ping-instances.service
0 commit comments