Sui validator on Kubernetes -

# Sui validator on Kubernetes - increase UDP buffer size I did the following on my statefulset: ``` securityContext: sysctls: - name: net.core.wmem_max value: "104857600" ``` And got: ``` forbidden sysctl: "net.core.wmem_max" not allowlisted ``` Then I tried this: https://docs.digitalocean.com/support/can-i-disable-unsafe-sysctl-on-digitalocean-kubernetes/ And got: https://stackoverflow.com/questions/44014941/docker-impossible-setup-sysctl-parameter-in-container-rhel-6-6 Since wmem / rmem_max is not namespaced, you can't set it in a container - you have to set it up at system level. But DigitalOcean does not allow modification of the nodes. Support to the rescue. ## DaemonSet DO Support suggested the following DaemonSet, which worked: ``` apiVersion: apps/v1 kind: DaemonSet metadata: name: sui-sysctl namespace: kube-system labels: app: sui-sysctl spec: selector: matchLabels: name: sui-sysctl template: metadata: labels: name: sui-sysctl annotations: clusterlint.digitalocean.com/disabled-checks: "hostpath-volume" spec: hostPID: true hostIPC: true hostNetwork: true tolerations: - operator: Exists initContainers: - command: - /bin/sh - -c - | sysctl -w net.core.rmem_max=104857600 sysctl -w net.core.wmem_max=104857600 image: busybox imagePullPolicy: Always name: sui-init-sysctl resources: {} securityContext: privileged: true containers: - name: sui-sysctl securityContext: privileged: true image: digitalocean/doks-debug:latest command: [ "sleep", "infinity" ] resources: requests: memory: "0" cpu: "0" limits: memory: "500Mi" cpu: "500m" volumeMounts: - name: host mountPath: /host - name: docker mountPath: /var/run/docker.sock volumes: - name: host hostPath: path: / - name: docker hostPath: path: /var/run/docker.sock type: Socket updateStrategy: rollingUpdate: maxSurge: 0 maxUnavailable: 100% type: RollingUpdate ``` The secret ingredient appeared to be: ``` hostPID: true hostIPC: true hostNetwork: true ``` You may have to add a nodeSelector to make sure it only appies to the sui node of choice, and change the namespace as well to prevent duplicates.