Remount sysctl paths in Docker entrypoint

[twz123]

Description

Kubelet attempts to enforce certain sysctl tunables in /proc/sys. If the host configuration differs from what kubelet expects, errors may occur, such as "Failed to start ContainerManager: open /proc/sys/kernel/panic: read-only file system" or similar. Mitigate this by remounting /proc/sys in read-write mode if necessary.

The tunables only need to be set once and will stay in place until the next time the host reboots. If the values match the kubelet's expectations, the containers could get away with a read-only /proc/sys. This is inconvenient. Therefore, perform an automatic remount. Users may opt out of this via an environment variable.

Reference: https://github.com/kubernetes/kubernetes/blob/v1.33.1/pkg/kubelet/cm/container_manager_linux.go#L412

Note that if kubelet is running in a user namespace and the KubeletInUserNamespace alpha feature gate is enabled, kubelet will ignore any errors when setting tunables.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update

How Has This Been Tested?

• Manual test
• Auto test added

Checklist

• My code follows the style guidelines of this project
• My commit messages are signed-off
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules
• I have checked my code and corrected any misspellings