Quadlet: Add support for --sysctl flag

The Sysctl=name=value entry can be used to set --sysctl=name=value directly without the need to use PodmanArgs=--sysctl=name=value. Signed-off-by: Laurenz Kruty <git@laurenzkruty.de>
2025-06-02 10:46:09 +08:00 · 2023-06-02 22:20:55 +02:00
parent 57797d8559
commit b37f74b732
4 changed files with 28 additions and 0 deletions
--- a/docs/source/markdown/podman-systemd.unit.5.md
+++ b/docs/source/markdown/podman-systemd.unit.5.md
@ -128,6 +128,7 @@ Valid options for `[Container]` are listed below:
 | SecurityLabelFileType=usr_t    | --security-opt label=filetype:usr_t                  |
 | SecurityLabelLevel=s0:c1,c2    | --security-opt label=level:s0:c1,c2                  |
 | SecurityLabelType=spc_t        | --security-opt label=type:spc_t                      |
+| Sysctl=name=value              | --sysctl=name=value                                  |
 | Timezone=local                 | --tz local                                           |
 | Tmpfs=/work                    | --tmpfs /work                                        |
 | User=bin                       | --user bin                                           |
@ -428,6 +429,17 @@ Set the label process type for the container processes.
 Use a Podman secret in the container either as a file or an environment variable.
 This is equivalent to the Podman `--secret` option and generally has the form `secret[,opt=opt ...]`

+### `Sysctl=`
+
+Configures namespaced kernel parameters for the container. The format is `Sysctl=name=value`.
+
+This is a space separated list of kernel parameters. This key can be listed multiple times.
+
+For example:
+```
+Sysctl=net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.all.use_tempaddr=1
+```
+
 ### `Tmpfs=`

 Mount a tmpfs in the container. This is equivalent to the Podman `--tmpfs` option, and
--- a/pkg/systemd/quadlet/quadlet.go
+++ b/pkg/systemd/quadlet/quadlet.go
@ -94,6 +94,7 @@ const (
 	KeySecurityLabelLevel    = "SecurityLabelLevel"
 	KeySecurityLabelType     = "SecurityLabelType"
 	KeySecret                = "Secret"
+	KeySysctl                = "Sysctl"
 	KeyTimezone              = "Timezone"
 	KeyTmpfs                 = "Tmpfs"
 	KeyType                  = "Type"
@ -156,6 +157,7 @@ var (
 		KeySecurityLabelLevel:    true,
 		KeySecurityLabelType:     true,
 		KeySecret:                true,
+		KeySysctl:                true,
 		KeyTmpfs:                 true,
 		KeyTimezone:              true,
 		KeyUser:                  true,
@ -458,6 +460,11 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
 		podman.addf("--cap-add=%s", strings.ToLower(caps))
 	}

+	sysctl := container.LookupAllStrv(ContainerGroup, KeySysctl)
+	for _, sysctlItem := range sysctl {
+		podman.addf("--sysctl=%s", sysctlItem)
+	}
+
 	readOnly, ok := container.LookupBoolean(ContainerGroup, KeyReadOnly)
 	if ok {
 		podman.addBool("--read-only", readOnly)
--- a/test/e2e/quadlet/sysctl.container
+++ b/test/e2e/quadlet/sysctl.container
@ -0,0 +1,8 @@
+## assert-podman-args "--sysctl=net.ipv6.conf.all.disable_ipv6=1"
+## assert-podman-args "--sysctl=net.ipv6.conf.all.use_tempaddr=1"
+## assert-podman-args "--sysctl=net.ipv4.conf.lo.force_igmp_version=0"
+
+[Container]
+Image=localhost/imagename
+Sysctl=net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.all.use_tempaddr=1
+Sysctl=net.ipv4.conf.lo.force_igmp_version=0
--- a/test/e2e/quadlet_test.go
+++ b/test/e2e/quadlet_test.go
@ -562,6 +562,7 @@ var _ = Describe("quadlet system generator", func() {
 		Entry("readwrite-notmpfs.container", "readwrite-notmpfs.container"),
 		Entry("seccomp.container", "seccomp.container"),
 		Entry("shortname.container", "shortname.container"),
+		Entry("sysctl.container", "sysctl.container"),
 		Entry("timezone.container", "timezone.container"),
 		Entry("user.container", "user.container"),
 		Entry("remap-manual.container", "remap-manual.container"),