Merge pull request #12836 from cdoern/podSysCtl

Podman Pod Create --sysctl support

cmd/podman/common/create.go

@@ -563,15 +563,6 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		)
 		_ = cmd.RegisterFlagCompletionFunc(stopTimeoutFlagName, completion.AutocompleteNone)
 
-		sysctlFlagName := "sysctl"
-		createFlags.StringSliceVar(
-			&cf.Sysctl,
-			sysctlFlagName, []string{},
-			"Sysctl options",
-		)
-		//TODO: Add function for sysctl completion.
-		_ = cmd.RegisterFlagCompletionFunc(sysctlFlagName, completion.AutocompleteNone)
-
 		systemdFlagName := "systemd"
 		createFlags.StringVar(
 			&cf.Systemd,
@@ -712,6 +703,16 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 			`If a container with the same name exists, replace it`,
 		)
 	}
+
+	sysctlFlagName := "sysctl"
+	createFlags.StringSliceVar(
+		&cf.Sysctl,
+		sysctlFlagName, []string{},
+		"Sysctl options",
+	)
+	//TODO: Add function for sysctl completion.
+	_ = cmd.RegisterFlagCompletionFunc(sysctlFlagName, completion.AutocompleteNone)
+
 	securityOptFlagName := "security-opt"
 	createFlags.StringArrayVar(
 		&cf.SecurityOpt,

docs/source/markdown/podman-pod-create.1.md

@@ -276,6 +276,28 @@ podman generates a UUID for each pod, and if a name is not assigned
 to the container with **--name** then a random string name will be generated
 for it. The name is useful any place you need to identify a pod.
 
+#### **--sysctl**=_name_=_value_
+
+Configure namespace kernel parameters for all containers in the pod.
+
+For the IPC namespace, the following sysctls are allowed:
+
+- kernel.msgmax
+- kernel.msgmnb
+- kernel.msgmni
+- kernel.sem
+- kernel.shmall
+- kernel.shmmax
+- kernel.shmmni
+- kernel.shm_rmid_forced
+- Sysctls beginning with fs.mqueue.\*
+
+Note: if the ipc namespace is not shared within the pod, these sysctls are not allowed.
+
+For the network namespace, only sysctls beginning with net.\* are allowed.
+
+Note: if the network namespace is not shared within the pod, these sysctls are not allowed.
+
 #### **--userns**=*mode*
 
 Set the user namespace mode for all the containers in a pod. It defaults to the **PODMAN_USERNS** environment variable. An empty value ("") means user namespaces are disabled.

pkg/domain/entities/pods.go

@@ -139,6 +139,7 @@ type PodCreateOptions struct {
 	Volume             []string          `json:"volume,omitempty"`
 	VolumesFrom        []string          `json:"volumes_from,omitempty"`
 	SecurityOpt        []string          `json:"security_opt,omitempty"`
+	Sysctl             []string          `json:"sysctl,omitempty"`
 }
 
 // PodLogsOptions describes the options to extract pod logs.
@@ -240,7 +241,7 @@ type ContainerCreateOptions struct {
 	StorageOpts       []string
 	SubUIDName        string
 	SubGIDName        string
-	Sysctl            []string
+	Sysctl            []string `json:"sysctl,omitempty"`
 	Systemd           string
 	Timeout           uint
 	TLSVerify         commonFlag.OptionalBool
@@ -360,6 +361,15 @@ func ToPodSpecGen(s specgen.PodSpecGenerator, p *PodCreateOptions) (*specgen.Pod
 		}
 	}
 	s.Userns = p.Userns
+	sysctl := map[string]string{}
+	if ctl := p.Sysctl; len(ctl) > 0 {
+		sysctl, err = util.ValidateSysctls(ctl)
+		if err != nil {
+			return nil, err
+		}
+	}
+	s.Sysctl = sysctl
+
 	return &s, nil
 }
 

pkg/specgen/podspecgen.go

@@ -74,6 +74,8 @@ type PodBasicConfig struct {
 	Userns Namespace `json:"userns,omitempty"`
 	// Devices contains user specified Devices to be added to the Pod
 	Devices []string `json:"pod_devices,omitempty"`
+	// Sysctl sets kernel parameters for the pod
+	Sysctl map[string]string `json:"sysctl,omitempty"`
 }
 
 // PodNetworkConfig contains networking configuration for a pod.

test/e2e/pod_create_test.go

@@ -1029,4 +1029,43 @@ ENTRYPOINT ["sleep","99999"]
 		Expect(inspect[0].AppArmorProfile).To(Equal(apparmor.Profile))
 
 	})
+
+	It("podman pod create --sysctl test", func() {
+		SkipIfRootless("Network sysctls are not available root rootless")
+		podCreate := podmanTest.Podman([]string{"pod", "create", "--sysctl", "net.core.somaxconn=65535"})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+		session := podmanTest.Podman([]string{"run", "--pod", podCreate.OutputToString(), "--rm", ALPINE, "sysctl", "net.core.somaxconn"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		Expect(session.OutputToString()).To(ContainSubstring("net.core.somaxconn = 65535"))
+
+		// if not sharing the net NS, nothing should fail, but the sysctl should not be passed
+		podCreate = podmanTest.Podman([]string{"pod", "create", "--share", "pid", "--sysctl", "net.core.somaxconn=65535"})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+		session = podmanTest.Podman([]string{"run", "--pod", podCreate.OutputToString(), "--rm", ALPINE, "sysctl", "net.core.somaxconn"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		Expect(session.OutputToString()).NotTo(ContainSubstring("net.core.somaxconn = 65535"))
+
+		// one other misc option
+		podCreate = podmanTest.Podman([]string{"pod", "create", "--sysctl", "kernel.msgmax=65535"})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+		session = podmanTest.Podman([]string{"run", "--pod", podCreate.OutputToString(), "--rm", ALPINE, "sysctl", "kernel.msgmax"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		Expect(session.OutputToString()).To(ContainSubstring("kernel.msgmax = 65535"))
+
+		podCreate = podmanTest.Podman([]string{"pod", "create", "--share", "pid", "--sysctl", "kernel.msgmax=65535"})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+		session = podmanTest.Podman([]string{"run", "--pod", podCreate.OutputToString(), "--rm", ALPINE, "sysctl", "kernel.msgmax"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		Expect(session.OutputToString()).NotTo(ContainSubstring("kernel.msgmax = 65535"))
+
+	})
+
 })