Ensure inotify settings meet the minimum requirements (#1897)

* Ensure inotify settings meet the minimum requirements

---------

Co-authored-by: Alex Parker <[email protected]>

Author: sgalsaleh

pkg/configutils/runtime.go

@@ -8,6 +8,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
 	"strings"
 
 	"github.com/replicatedhq/embedded-cluster/pkg/helpers"
@@ -19,17 +20,45 @@ import (
 // purposes.
 var sysctlConfigPath = "/etc/sysctl.d/99-embedded-cluster.conf"
 
-var modulesLoadConfigPath = "/etc/modules-load.d/99-embedded-cluster.conf"
+// dynamicSysctlConfigPath is the path to the dynamic sysctl config file that is used to configure
+// the embedded cluster.
+const dynamicSysctlConfigPath = "/etc/sysctl.d/99-dynamic-embedded-cluster.conf"
+
+// modulesLoadConfigPath is the path to the kernel modules config file that is used to configure
+// the embedded cluster.
+const modulesLoadConfigPath = "/etc/modules-load.d/99-embedded-cluster.conf"
 
 //go:embed static/sysctl.d/99-embedded-cluster.conf
 var embeddedClusterSysctlConf []byte
 
 //go:embed static/modules-load.d/99-embedded-cluster.conf
 var embeddedClusterModulesConf []byte
 
-// ConfigureSysctl writes the sysctl config file for the embedded cluster and reloads the sysctl
-// configuration. This function has a distinct behavior: if the sysctl binary does not exist it
-// returns an error but if it fails to lay down the sysctl config on disk it simply returns nil.
+// dynamicSysctlConstraints are the constraints that are used to generate the dynamic sysctl
+// config file.
+var dynamicSysctlConstraints = []sysctlConstraint{
+	// Increase inotify limits only if they are currently lower,
+	// ensuring proper operation of applications that monitor filesystem events.
+	{key: "fs.inotify.max_user_instances", value: 1024, operator: sysctlOperatorMin},
+	{key: "fs.inotify.max_user_watches", value: 65536, operator: sysctlOperatorMin},
+}
+
+type sysctlOperator string
+
+const (
+	sysctlOperatorMin sysctlOperator = "min"
+	sysctlOperatorMax sysctlOperator = "max"
+)
+
+type sysctlConstraint struct {
+	key      string
+	value    int64
+	operator sysctlOperator
+}
+
+type sysctlValueGetter func(key string) (int64, error)
+
+// ConfigureSysctl writes the sysctl config files for the embedded cluster and reloads the sysctl configuration.
 // NOTE: do not run this after the cluster has already been installed as it may revert sysctl
 // settings set by k0s and its extensions.
 func ConfigureSysctl() error {
@@ -41,6 +70,10 @@ func ConfigureSysctl() error {
 		return fmt.Errorf("materialize sysctl config: %w", err)
 	}
 
+	if err := dynamicSysctlConfig(); err != nil {
+		return fmt.Errorf("materialize dynamic sysctl config: %w", err)
+	}
+
 	if _, err := helpers.RunCommand("sysctl", "--system"); err != nil {
 		return fmt.Errorf("configure sysctl: %w", err)
 	}
@@ -58,6 +91,63 @@ func sysctlConfig() error {
 	return nil
 }
 
+// dynamicSysctlConfig generates a dynamic sysctl config file based on current system values
+// and our constraints.
+func dynamicSysctlConfig() error {
+	return generateDynamicSysctlConfig(getCurrentSysctlValue, dynamicSysctlConfigPath)
+}
+
+// generateDynamicSysctlConfig is the testable version of dynamicSysctlConfig that accepts
+// a custom sysctl value getter and config path.
+func generateDynamicSysctlConfig(getter sysctlValueGetter, configPath string) error {
+	if err := os.MkdirAll(filepath.Dir(configPath), 0755); err != nil {
+		return fmt.Errorf("create directory: %w", err)
+	}
+
+	var config strings.Builder
+	config.WriteString("# Dynamic sysctl configuration for embedded-cluster\n")
+	config.WriteString("# This file is generated based on system values\n\n")
+
+	for _, constraint := range dynamicSysctlConstraints {
+		currentValue, err := getter(constraint.key)
+		if err != nil {
+			return fmt.Errorf("check current value for %s: %w", constraint.key, err)
+		}
+
+		needsUpdate := false
+		switch constraint.operator {
+		case sysctlOperatorMin:
+			needsUpdate = currentValue < constraint.value
+		case sysctlOperatorMax:
+			needsUpdate = currentValue > constraint.value
+		}
+
+		if needsUpdate {
+			config.WriteString(fmt.Sprintf("%s = %d\n", constraint.key, constraint.value))
+		}
+	}
+
+	if err := os.WriteFile(configPath, []byte(config.String()), 0644); err != nil {
+		return fmt.Errorf("write dynamic config file: %w", err)
+	}
+	return nil
+}
+
+// getCurrentSysctlValue reads the current value of a sysctl parameter
+func getCurrentSysctlValue(key string) (int64, error) {
+	out, err := helpers.RunCommand("sysctl", "-n", key)
+	if err != nil {
+		return 0, fmt.Errorf("get sysctl value: %w", err)
+	}
+
+	value, err := strconv.ParseInt(strings.TrimSpace(string(out)), 10, 64)
+	if err != nil {
+		return 0, fmt.Errorf("parse sysctl value: %w", err)
+	}
+
+	return value, nil
+}
+
 // ConfigureKernelModules writes the kernel modules config file and ensures the kernel modules are
 // loaded that are listed in the file.
 func ConfigureKernelModules() error {

pkg/configutils/runtime_test.go

@@ -9,9 +9,10 @@ import (
 	"github.com/replicatedhq/embedded-cluster/pkg/helpers"
 	"github.com/replicatedhq/embedded-cluster/pkg/runtimeconfig"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
-func TestConfigureSysctl(t *testing.T) {
+func TestSysctlConfig(t *testing.T) {
 	basedir, err := os.MkdirTemp("", "embedded-cluster-test-base-dir")
 	assert.NoError(t, err)
 	defer os.RemoveAll(basedir)
@@ -29,7 +30,7 @@ func TestConfigureSysctl(t *testing.T) {
 	defer os.RemoveAll(dstdir)
 
 	sysctlConfigPath = filepath.Join(dstdir, "sysctl.conf")
-	err = ConfigureSysctl()
+	err = sysctlConfig()
 	assert.NoError(t, err)
 
 	// check that the file exists.
@@ -42,6 +43,97 @@ func TestConfigureSysctl(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func TestDynamicSysctlConfig(t *testing.T) {
+	// Create a temporary config file.
+	configPath := filepath.Join(t.TempDir(), "99-dynamic-embedded-cluster.conf")
+
+	tests := []struct {
+		name            string
+		mockValues      map[string]int64
+		expectedLines   []string
+		unexpectedLines []string
+	}{
+		{
+			name: "inotify max_user values below minimum thresholds are updated",
+			mockValues: map[string]int64{
+				"fs.inotify.max_user_instances": 128,  // Below min
+				"fs.inotify.max_user_watches":   8192, // Below min
+			},
+			expectedLines: []string{
+				"fs.inotify.max_user_instances = 1024",
+				"fs.inotify.max_user_watches = 65536",
+			},
+		},
+		{
+			name: "only below minimum values of inotify max_user are updated",
+			mockValues: map[string]int64{
+				"fs.inotify.max_user_instances": 128,     // Below min
+				"fs.inotify.max_user_watches":   1048576, // Above min
+			},
+			expectedLines: []string{
+				"fs.inotify.max_user_instances = 1024",
+			},
+			unexpectedLines: []string{
+				"fs.inotify.max_user_watches",
+			},
+		},
+		{
+			name: "inotify max_user values above minimum thresholds are not updated",
+			mockValues: map[string]int64{
+				"fs.inotify.max_user_instances": 2048,    // Above min
+				"fs.inotify.max_user_watches":   1048576, // Above min
+			},
+			expectedLines: []string{}, // No updates needed
+			unexpectedLines: []string{
+				"fs.inotify.max_user_instances",
+				"fs.inotify.max_user_watches",
+			},
+		},
+		{
+			name: "inotify max_user values equal to minimum thresholds are not updated",
+			mockValues: map[string]int64{
+				"fs.inotify.max_user_instances": 1024,  // Equal to min
+				"fs.inotify.max_user_watches":   65536, // Equal to min
+			},
+			expectedLines: []string{}, // No updates needed
+			unexpectedLines: []string{
+				"fs.inotify.max_user_instances",
+				"fs.inotify.max_user_watches",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create mock getter
+			mockGetter := func(key string) (int64, error) {
+				value, exists := tt.mockValues[key]
+				if !exists {
+					t.Fatalf("unexpected key requested: %s", key)
+				}
+				return value, nil
+			}
+
+			err := generateDynamicSysctlConfig(mockGetter, configPath)
+			require.NoError(t, err)
+
+			// Read generated file
+			content, err := os.ReadFile(configPath)
+			require.NoError(t, err)
+
+			// Check for expected lines
+			for _, expectedLine := range tt.expectedLines {
+				assert.Contains(t, string(content), expectedLine)
+			}
+
+			// Check for unexpected lines
+			for _, unexpectedLine := range tt.unexpectedLines {
+				assert.NotContains(t, string(content), unexpectedLine)
+			}
+		})
+	}
+}
+
 func Test_ensureKernelModulesLoaded(t *testing.T) {
 	// Create and set mock helper
 	mock := &helpers.MockHelpers{

pkg/preflights/host-preflight.yaml

@@ -1013,6 +1013,22 @@ spec:
           - pass:
               when: 'net.bridge.bridge-nf-call-iptables == 1'
               message: "Bridge netfilter call iptables is enabled."
+    - sysctl:
+        checkName: "Maximum number of inotify instances per user"
+        outcomes:
+          - fail:
+              when: "fs.inotify.max_user_instances < 1024"
+              message: "The system limit for inotify instances per user must be at least 1024. To increase it, edit /etc/sysctl.conf, add or edit the line 'fs.inotify.max_user_instances=1024', and run 'sudo sysctl -p'."
+          - pass:
+              message: "The system allows at least 1024 inotify instances per user."
+    - sysctl:
+        checkName: "Maximum number of inotify watches per user"
+        outcomes:
+          - fail:
+              when: "fs.inotify.max_user_watches < 65536"
+              message: "The system limit for inotify watches per user must be at least 65536. To increase it, edit /etc/sysctl.conf, add or edit the line 'fs.inotify.max_user_watches=65536', and run 'sudo sysctl -p'."
+          - pass:
+              message: "The system allows at least 65536 inotify watches per user."
     - kernelModules:
         checkName: "Overlay kernel module"
         outcomes: