Merge remote-tracking branch 'origin/main' into k0s-1-29

Author: sgalsaleh

Makefile

@@ -15,7 +15,7 @@ K0S_GO_VERSION = v1.29.13+k0s.0
 PREVIOUS_K0S_VERSION ?= v1.28.14+k0s.0-ec.0
 PREVIOUS_K0S_GO_VERSION ?= v1.28.14+k0s.0
 K0S_BINARY_SOURCE_OVERRIDE =
-TROUBLESHOOT_VERSION = v0.116.4
+TROUBLESHOOT_VERSION = v0.117.0
 
 KOTS_VERSION = v$(shell awk '/^version/{print $$2}' pkg/addons/adminconsole/static/metadata.yaml | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+).*/\1/')
 # When updating KOTS_BINARY_URL_OVERRIDE, also update the KOTS_VERSION above or

cmd/installer/cli/install.go

@@ -232,6 +232,12 @@ func preRunInstall(cmd *cobra.Command, flags *InstallCmdFlags) error {
 		return fmt.Errorf("unable to write runtime config to disk: %w", err)
 	}
 
+	if err := os.Chmod(runtimeconfig.EmbeddedClusterHomeDirectory(), 0755); err != nil {
+		// don't fail as there are cases where we can't change the permissions (bind mounts, selinux, etc...),
+		// and we handle and surface those errors to the user later (host preflights, checking exec errors, etc...)
+		logrus.Debugf("unable to chmod embedded-cluster home dir: %s", err)
+	}
+
 	return nil
 }
 
@@ -626,9 +632,16 @@ func installAndStartCluster(ctx context.Context, networkInterface string, airgap
 	if err := k0s.Install(networkInterface); err != nil {
 		return nil, fmt.Errorf("install cluster: %w", err)
 	}
+
 	loading.Infof("Waiting for %s node to be ready", runtimeconfig.BinaryName())
+
 	logrus.Debugf("waiting for k0s to be ready")
 	if err := waitForK0s(); err != nil {
+		return nil, fmt.Errorf("wait for k0s: %w", err)
+	}
+
+	logrus.Debugf("waiting for node to be ready")
+	if err := waitForNode(ctx); err != nil {
 		return nil, fmt.Errorf("wait for node: %w", err)
 	}
 
@@ -947,6 +960,21 @@ func waitForK0s() error {
 	}
 }
 
+func waitForNode(ctx context.Context) error {
+	kcli, err := kubeutils.KubeClient()
+	if err != nil {
+		return fmt.Errorf("create kube client: %w", err)
+	}
+	hostname, err := os.Hostname()
+	if err != nil {
+		return fmt.Errorf("get hostname: %w", err)
+	}
+	if err := kubeutils.WaitForControllerNode(ctx, kcli, hostname); err != nil {
+		return fmt.Errorf("wait for node: %w", err)
+	}
+	return nil
+}
+
 func recordInstallation(ctx context.Context, kcli client.Client, flags InstallCmdFlags, k0sCfg *k0sv1beta1.ClusterConfig, disasterRecoveryEnabled bool) (*ecv1beta1.Installation, error) {
 	// ensure that the embedded-cluster namespace exists
 	if err := createECNamespace(ctx, kcli); err != nil {

cmd/installer/cli/join.go

@@ -206,7 +206,7 @@ func runJoin(ctx context.Context, name string, flags JoinCmdFlags, jcmd *kotsadm
 		return fmt.Errorf("unable to get hostname: %w", err)
 	}
 
-	if err := waitForNode(ctx, kcli, hostname); err != nil {
+	if err := waitForNodeToJoin(ctx, kcli, hostname); err != nil {
 		return fmt.Errorf("unable to wait for node: %w", err)
 	}
 
@@ -247,6 +247,12 @@ func runJoinVerifyAndPrompt(name string, flags JoinCmdFlags, jcmd *kotsadm.JoinC
 		return fmt.Errorf("unable to write runtime config: %w", err)
 	}
 
+	if err := os.Chmod(runtimeconfig.EmbeddedClusterHomeDirectory(), 0755); err != nil {
+		// don't fail as there are cases where we can't change the permissions (bind mounts, selinux, etc...),
+		// and we handle and surface those errors to the user later (host preflights, checking exec errors, etc...)
+		logrus.Debugf("unable to chmod embedded-cluster home dir: %s", err)
+	}
+
 	// check to make sure the version returned by the join token is the same as the one we are running
 	if strings.TrimPrefix(jcmd.EmbeddedClusterVersion, "v") != strings.TrimPrefix(versions.Version, "v") {
 		return fmt.Errorf("embedded cluster version mismatch - this binary is version %q, but the cluster is running version %q", versions.Version, jcmd.EmbeddedClusterVersion)
@@ -465,7 +471,7 @@ func runK0sInstallCommand(networkInterface string, fullcmd string) error {
 	return nil
 }
 
-func waitForNode(ctx context.Context, kcli client.Client, hostname string) error {
+func waitForNodeToJoin(ctx context.Context, kcli client.Client, hostname string) error {
 	loading := spinner.Start()
 	defer loading.Close()
 	loading.Infof("Waiting for node to join the cluster")

e2e/preflights_test.go

@@ -20,7 +20,17 @@ func TestPreflights(t *testing.T) {
 	})
 	defer tc.Cleanup()
 
-	_, stderr, err := tc.RunCommandOnNode(0, []string{"apt-get update && apt-get install -y apt-utils netcat-traditional"})
+	// set up incorrect permissions on data dir and parent dir
+	_, stderr, err := tc.RunCommandOnNode(0, []string{
+		"mkdir -p /var/lib/embedded-cluster && " +
+			"chmod 744 /var/lib/embedded-cluster && " + // remove execute from data dir
+			"chmod 744 /var/lib", // remove execute from parent dir
+	})
+	if err != nil {
+		t.Fatalf("failed to adjust dir permissions: err=%v, stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = tc.RunCommandOnNode(0, []string{"apt-get update && apt-get install -y apt-utils netcat-traditional"})
 	if err != nil {
 		t.Fatalf("failed to install deps: err=%v, stderr=%s", err, stderr)
 	}
@@ -95,6 +105,7 @@ func TestPreflights(t *testing.T) {
 					"Kubelet Port Availability":               true,
 					"Calico Communication Port Availability":  true,
 					"Local Artifact Mirror Port Availability": true,
+					"Data Directory Permissions":              true,
 					// as long as fio ran successfully, we're good
 					"Filesystem Write Latency": true,
 				}
@@ -142,6 +153,33 @@ func TestPreflights(t *testing.T) {
 				}
 			},
 		},
+		{
+			name: "Should contain data directory permissions failures",
+			assert: func(t *testing.T, results *types.Output) {
+				for _, res := range results.Fail {
+					if res.Title == "Data Directory Permissions" {
+						// should not contain data dir as we automatically fix it
+						if strings.Contains(res.Message, "/var/lib/embedded-cluster") {
+							t.Errorf("failure message should not contain /var/lib/embedded-cluster directory: %s", res.Message)
+						}
+						// should contain parent dir as we don't automatically fix it
+						if !strings.Contains(res.Message, "/var/lib.") {
+							t.Errorf("failure message should contain /var/lib directory: %s", res.Message)
+						}
+						t.Logf("directory permissions check failed as expected: %s", res.Message)
+						return
+					}
+				}
+				// If we get here, check if it incorrectly passed
+				for _, res := range results.Pass {
+					if res.Title == "Data Directory Permissions" {
+						t.Errorf("directory permissions check passed unexpectedly: %s", res.Message)
+						return
+					}
+				}
+				t.Errorf("directory permissions check not found in results")
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

go.mod

@@ -32,7 +32,7 @@ require (
 	github.com/replicatedhq/embedded-cluster/kinds v0.0.0
 	github.com/replicatedhq/embedded-cluster/utils v0.0.0
 	github.com/replicatedhq/kotskinds v0.0.0-20240814191029-3f677ee409a0
-	github.com/replicatedhq/troubleshoot v0.116.4
+	github.com/replicatedhq/troubleshoot v0.117.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/viper v1.19.0
@@ -134,6 +134,7 @@ require (
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
+	github.com/ebitengine/purego v0.8.2 // indirect
 	github.com/envoyproxy/go-control-plane v0.13.1 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
@@ -231,8 +232,7 @@ require (
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
-	github.com/shirou/gopsutil/v3 v3.24.5 // indirect
-	github.com/shoenig/go-m1cpu v0.1.6 // indirect
+	github.com/shirou/gopsutil/v4 v4.25.1 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect

go.sum

@@ -867,6 +867,8 @@ github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 h1:iFaUwBSo5Svw6L
 github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj60/X5sZFNxpG4HBPDHVqxNm4DfnCKgrbZOT+s=
 github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
+github.com/ebitengine/purego v0.8.2 h1:jPPGWs2sZ1UgOSgD2bClL0MJIqu58nOmIcBuXr62z1I=
+github.com/ebitengine/purego v0.8.2/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -1439,8 +1441,8 @@ github.com/redis/go-redis/v9 v9.5.2/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0
 github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/replicatedhq/kotskinds v0.0.0-20240814191029-3f677ee409a0 h1:Gi+Fs6583v7GmgQKJyaZuBzcih0z5YXBREDQ8AWY2JM=
 github.com/replicatedhq/kotskinds v0.0.0-20240814191029-3f677ee409a0/go.mod h1:QjhIUu3+OmHZ09u09j3FCoTt8F3BYtQglS+OLmftu9I=
-github.com/replicatedhq/troubleshoot v0.116.4 h1:SDa+bWiXArt4Ypkw3+qjMxl+QUWKZsR0t19A13Mx3G0=
-github.com/replicatedhq/troubleshoot v0.116.4/go.mod h1:OQwNwp78Xkfa/VwzNnDyiTFAAsZK1u3wApYncskHVl0=
+github.com/replicatedhq/troubleshoot v0.117.0 h1:FCw8VodGF/tetL7ZvdOhnjFDOvSDqMq/kce9/dsfHfc=
+github.com/replicatedhq/troubleshoot v0.117.0/go.mod h1:Xt6P84cvEyfyp9J/7EblCqINXHeTc+1zqfJY/KqjOss=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
@@ -1468,12 +1470,8 @@ github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c
 github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
-github.com/shirou/gopsutil/v3 v3.24.5 h1:i0t8kL+kQTvpAYToeuiVk3TgDeKOFioZO3Ztz/iZ9pI=
-github.com/shirou/gopsutil/v3 v3.24.5/go.mod h1:bsoOS1aStSs9ErQ1WWfxllSeS1K5D+U30r2NfcubMVk=
-github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
-github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
-github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
-github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k=
+github.com/shirou/gopsutil/v4 v4.25.1 h1:QSWkTc+fu9LTAWfkZwZ6j8MSUk4A2LV7rbH0ZqmLjXs=
+github.com/shirou/gopsutil/v4 v4.25.1/go.mod h1:RoUCUpndaJFtT+2zsZzzmhvbfGoDCJ7nFXKJf8GqJbI=
 github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=

pkg/addons/openebs/static/metadata.yaml

@@ -11,15 +11,15 @@ images:
     kubectl:
         repo: proxy.replicated.com/anonymous/replicated/ec-kubectl
         tag:
-            amd64: 1.32.1-r3-amd64@sha256:6e53f43c9fae84996dd175b6a92eab9b908cc6ea9e947f3d672efb0e679126cd
-            arm64: 1.32.1-r3-arm64@sha256:b64561c028e446c1dace22d3c3f073c2b0f9e5cf519eeafc8f62344b4f86de31
+            amd64: 1.32.2-r0-amd64@sha256:5baf1c2b9b976c5685bb94d6e56eccff85dcd4f2dcdf0384ec99f3401393f577
+            arm64: 1.32.2-r0-arm64@sha256:5b666becd4e6e948a0c610c5ff9fccbe2b77be650cdfe36a91ce84218cab7e17
     openebs-linux-utils:
         repo: proxy.replicated.com/anonymous/replicated/ec-openebs-linux-utils
         tag:
-            amd64: 4.2.0-amd64@sha256:25472f140e897a60f8e3d31b4050c54156dfc129dacad966f3f89c86a4fa67bc
-            arm64: 4.2.0-arm64@sha256:55e882fc99f63d5ad81c38b8cdae79d31f4c54c7704b7321cc3ec51d3701c8e3
+            amd64: 4.2.0-amd64@sha256:0baa855632680d21112c919afc1f382afd8667278be779729e9be78c7fb002ec
+            arm64: 4.2.0-arm64@sha256:a0e8a2533750e7c2e0117fb888582f6a14316161c671e35dfb01bc96a56d92d6
     openebs-provisioner-localpv:
         repo: proxy.replicated.com/anonymous/replicated/ec-openebs-provisioner-localpv
         tag:
-            amd64: 4.2.0-r1-amd64@sha256:ccfd5ef25bd1d17502d78de9681b96919cccc5a57016b0c786baa69253a6a166
-            arm64: 4.2.0-r1-arm64@sha256:c39ba145522b82eab9107144ee5a032685ea59718c170690ac26b9c93b158d48
+            amd64: 4.2.0-r1-amd64@sha256:24e47faf23e8b6e71c2cb54a2ec9f9eed0912930c0397257b384c5b79c38593b
+            arm64: 4.2.0-r1-arm64@sha256:9023c783a18adb7e2d74097cd274355e15e686aab71127b087bf1bdc0ac0c68b

pkg/addons/velero/static/metadata.yaml

@@ -5,14 +5,14 @@
 # $ make buildtools
 # $ output/bin/buildtools update addon <addon name>
 #
-version: 8.3.0
+version: 8.4.0
 location: oci://proxy.replicated.com/anonymous/registry.replicated.com/ec-charts/velero
 images:
     kubectl:
         repo: proxy.replicated.com/anonymous/replicated/ec-kubectl
         tag:
-            amd64: 1.32.1-r3-amd64@sha256:6e53f43c9fae84996dd175b6a92eab9b908cc6ea9e947f3d672efb0e679126cd
-            arm64: 1.32.1-r3-arm64@sha256:b64561c028e446c1dace22d3c3f073c2b0f9e5cf519eeafc8f62344b4f86de31
+            amd64: 1.32.2-r0-amd64@sha256:5baf1c2b9b976c5685bb94d6e56eccff85dcd4f2dcdf0384ec99f3401393f577
+            arm64: 1.32.2-r0-arm64@sha256:5b666becd4e6e948a0c610c5ff9fccbe2b77be650cdfe36a91ce84218cab7e17
     velero:
         repo: proxy.replicated.com/anonymous/replicated/ec-velero
         tag:

pkg/config/static/metadata.yaml

@@ -19,8 +19,8 @@ images:
     calico-node:
         repo: proxy.replicated.com/anonymous/replicated/ec-calico-node
         tag:
-            amd64: 3.28.2-r1-amd64@sha256:f6092d79661704765175b4857bdcfdd44c8d1c9b4ec754cc47ad15b402f2f65e
-            arm64: 3.28.2-r1-arm64@sha256:3d184d439432d453536617b0a39ada4f32a721f2c5931bf7c40ec961634711c7
+            amd64: 3.28.2-r1-amd64@sha256:40e18779862fffc6b7baf9e25c13fa8076262efc1aee4a861de13c220f897ca8
+            arm64: 3.28.2-r1-arm64@sha256:88c53fa8c802bbcc85eb9fe6d840dfde25342f6d5ea14c9dd127001fddae2d00
     coredns:
         repo: proxy.replicated.com/anonymous/replicated/ec-coredns
         tag:

pkg/configutils/runtime.go

@@ -8,6 +8,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
 	"strings"
 
 	"github.com/replicatedhq/embedded-cluster/pkg/helpers"
@@ -19,17 +20,45 @@ import (
 // purposes.
 var sysctlConfigPath = "/etc/sysctl.d/99-embedded-cluster.conf"
 
-var modulesLoadConfigPath = "/etc/modules-load.d/99-embedded-cluster.conf"
+// dynamicSysctlConfigPath is the path to the dynamic sysctl config file that is used to configure
+// the embedded cluster.
+const dynamicSysctlConfigPath = "/etc/sysctl.d/99-dynamic-embedded-cluster.conf"
+
+// modulesLoadConfigPath is the path to the kernel modules config file that is used to configure
+// the embedded cluster.
+const modulesLoadConfigPath = "/etc/modules-load.d/99-embedded-cluster.conf"
 
 //go:embed static/sysctl.d/99-embedded-cluster.conf
 var embeddedClusterSysctlConf []byte
 
 //go:embed static/modules-load.d/99-embedded-cluster.conf
 var embeddedClusterModulesConf []byte
 
-// ConfigureSysctl writes the sysctl config file for the embedded cluster and reloads the sysctl
-// configuration. This function has a distinct behavior: if the sysctl binary does not exist it
-// returns an error but if it fails to lay down the sysctl config on disk it simply returns nil.
+// dynamicSysctlConstraints are the constraints that are used to generate the dynamic sysctl
+// config file.
+var dynamicSysctlConstraints = []sysctlConstraint{
+	// Increase inotify limits only if they are currently lower,
+	// ensuring proper operation of applications that monitor filesystem events.
+	{key: "fs.inotify.max_user_instances", value: 1024, operator: sysctlOperatorMin},
+	{key: "fs.inotify.max_user_watches", value: 65536, operator: sysctlOperatorMin},
+}
+
+type sysctlOperator string
+
+const (
+	sysctlOperatorMin sysctlOperator = "min"
+	sysctlOperatorMax sysctlOperator = "max"
+)
+
+type sysctlConstraint struct {
+	key      string
+	value    int64
+	operator sysctlOperator
+}
+
+type sysctlValueGetter func(key string) (int64, error)
+
+// ConfigureSysctl writes the sysctl config files for the embedded cluster and reloads the sysctl configuration.
 // NOTE: do not run this after the cluster has already been installed as it may revert sysctl
 // settings set by k0s and its extensions.
 func ConfigureSysctl() error {
@@ -41,6 +70,10 @@ func ConfigureSysctl() error {
 		return fmt.Errorf("materialize sysctl config: %w", err)
 	}
 
+	if err := dynamicSysctlConfig(); err != nil {
+		return fmt.Errorf("materialize dynamic sysctl config: %w", err)
+	}
+
 	if _, err := helpers.RunCommand("sysctl", "--system"); err != nil {
 		return fmt.Errorf("configure sysctl: %w", err)
 	}
@@ -58,6 +91,63 @@ func sysctlConfig() error {
 	return nil
 }
 
+// dynamicSysctlConfig generates a dynamic sysctl config file based on current system values
+// and our constraints.
+func dynamicSysctlConfig() error {
+	return generateDynamicSysctlConfig(getCurrentSysctlValue, dynamicSysctlConfigPath)
+}
+
+// generateDynamicSysctlConfig is the testable version of dynamicSysctlConfig that accepts
+// a custom sysctl value getter and config path.
+func generateDynamicSysctlConfig(getter sysctlValueGetter, configPath string) error {
+	if err := os.MkdirAll(filepath.Dir(configPath), 0755); err != nil {
+		return fmt.Errorf("create directory: %w", err)
+	}
+
+	var config strings.Builder
+	config.WriteString("# Dynamic sysctl configuration for embedded-cluster\n")
+	config.WriteString("# This file is generated based on system values\n\n")
+
+	for _, constraint := range dynamicSysctlConstraints {
+		currentValue, err := getter(constraint.key)
+		if err != nil {
+			return fmt.Errorf("check current value for %s: %w", constraint.key, err)
+		}
+
+		needsUpdate := false
+		switch constraint.operator {
+		case sysctlOperatorMin:
+			needsUpdate = currentValue < constraint.value
+		case sysctlOperatorMax:
+			needsUpdate = currentValue > constraint.value
+		}
+
+		if needsUpdate {
+			config.WriteString(fmt.Sprintf("%s = %d\n", constraint.key, constraint.value))
+		}
+	}
+
+	if err := os.WriteFile(configPath, []byte(config.String()), 0644); err != nil {
+		return fmt.Errorf("write dynamic config file: %w", err)
+	}
+	return nil
+}
+
+// getCurrentSysctlValue reads the current value of a sysctl parameter
+func getCurrentSysctlValue(key string) (int64, error) {
+	out, err := helpers.RunCommand("sysctl", "-n", key)
+	if err != nil {
+		return 0, fmt.Errorf("get sysctl value: %w", err)
+	}
+
+	value, err := strconv.ParseInt(strings.TrimSpace(string(out)), 10, 64)
+	if err != nil {
+		return 0, fmt.Errorf("parse sysctl value: %w", err)
+	}
+
+	return value, nil
+}
+
 // ConfigureKernelModules writes the kernel modules config file and ensures the kernel modules are
 // loaded that are listed in the file.
 func ConfigureKernelModules() error {