Merge pull request #18785 from LauKr/main

Quadlet: Add support for --sysctl

docs/source/markdown/podman-systemd.unit.5.md

@@ -130,6 +130,7 @@ Valid options for `[Container]` are listed below:
 | SecurityLabelLevel=s0:c1,c2    | --security-opt label=level:s0:c1,c2                  |
 | SecurityLabelNested=true       | --security-opt label=nested                          |
 | SecurityLabelType=spc_t        | --security-opt label=type:spc_t                      |
+| Sysctl=name=value              | --sysctl=name=value                                  |
 | Timezone=local                 | --tz local                                           |
 | Tmpfs=/work                    | --tmpfs /work                                        |
 | User=bin                       | --user bin                                           |
@@ -438,6 +439,17 @@ Set the label process type for the container processes.
 Use a Podman secret in the container either as a file or an environment variable.
 This is equivalent to the Podman `--secret` option and generally has the form `secret[,opt=opt ...]`
 
+### `Sysctl=`
+
+Configures namespaced kernel parameters for the container. The format is `Sysctl=name=value`.
+
+This is a space separated list of kernel parameters. This key can be listed multiple times.
+
+For example:
+```
+Sysctl=net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.all.use_tempaddr=1
+```
+
 ### `Tmpfs=`
 
 Mount a tmpfs in the container. This is equivalent to the Podman `--tmpfs` option, and

pkg/systemd/quadlet/quadlet.go

@@ -96,6 +96,7 @@ const (
 	KeySecurityLabelNested   = "SecurityLabelNested"
 	KeySecurityLabelType     = "SecurityLabelType"
 	KeySecret                = "Secret"
+	KeySysctl                = "Sysctl"
 	KeyTimezone              = "Timezone"
 	KeyTmpfs                 = "Tmpfs"
 	KeyType                  = "Type"
@@ -160,6 +161,7 @@ var (
 		KeySecurityLabelNested:   true,
 		KeySecurityLabelType:     true,
 		KeySecret:                true,
+		KeySysctl:                true,
 		KeyTmpfs:                 true,
 		KeyTimezone:              true,
 		KeyUser:                  true,
@@ -467,6 +469,11 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
 		podman.addf("--cap-add=%s", strings.ToLower(caps))
 	}
 
+	sysctl := container.LookupAllStrv(ContainerGroup, KeySysctl)
+	for _, sysctlItem := range sysctl {
+		podman.addf("--sysctl=%s", sysctlItem)
+	}
+
 	readOnly, ok := container.LookupBoolean(ContainerGroup, KeyReadOnly)
 	if ok {
 		podman.addBool("--read-only", readOnly)

test/e2e/quadlet/sysctl.container

@@ -0,0 +1,8 @@
+## assert-podman-args "--sysctl=net.ipv6.conf.all.disable_ipv6=1"
+## assert-podman-args "--sysctl=net.ipv6.conf.all.use_tempaddr=1"
+## assert-podman-args "--sysctl=net.ipv4.conf.lo.force_igmp_version=0"
+
+[Container]
+Image=localhost/imagename
+Sysctl=net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.all.use_tempaddr=1
+Sysctl=net.ipv4.conf.lo.force_igmp_version=0

test/e2e/quadlet_test.go

@@ -563,6 +563,7 @@ var _ = Describe("quadlet system generator", func() {
 		Entry("readwrite-notmpfs.container", "readwrite-notmpfs.container"),
 		Entry("seccomp.container", "seccomp.container"),
 		Entry("shortname.container", "shortname.container"),
+		Entry("sysctl.container", "sysctl.container"),
 		Entry("timezone.container", "timezone.container"),
 		Entry("user.container", "user.container"),
 		Entry("remap-manual.container", "remap-manual.container"),