From b37f74b7325a74671997adb25f98b14e326f4759 Mon Sep 17 00:00:00 2001 From: Laurenz Kruty Date: Fri, 2 Jun 2023 22:20:55 +0200 Subject: [PATCH] Quadlet: Add support for --sysctl flag The Sysctl=name=value entry can be used to set --sysctl=name=value directly without the need to use PodmanArgs=--sysctl=name=value. Signed-off-by: Laurenz Kruty --- docs/source/markdown/podman-systemd.unit.5.md | 12 ++++++++++++ pkg/systemd/quadlet/quadlet.go | 7 +++++++ test/e2e/quadlet/sysctl.container | 8 ++++++++ test/e2e/quadlet_test.go | 1 + 4 files changed, 28 insertions(+) create mode 100644 test/e2e/quadlet/sysctl.container diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md index 7c0677a063..4c14e30cd9 100644 --- a/docs/source/markdown/podman-systemd.unit.5.md +++ b/docs/source/markdown/podman-systemd.unit.5.md @@ -128,6 +128,7 @@ Valid options for `[Container]` are listed below: | SecurityLabelFileType=usr_t | --security-opt label=filetype:usr_t | | SecurityLabelLevel=s0:c1,c2 | --security-opt label=level:s0:c1,c2 | | SecurityLabelType=spc_t | --security-opt label=type:spc_t | +| Sysctl=name=value | --sysctl=name=value | | Timezone=local | --tz local | | Tmpfs=/work | --tmpfs /work | | User=bin | --user bin | @@ -428,6 +429,17 @@ Set the label process type for the container processes. Use a Podman secret in the container either as a file or an environment variable. This is equivalent to the Podman `--secret` option and generally has the form `secret[,opt=opt ...]` +### `Sysctl=` + +Configures namespaced kernel parameters for the container. The format is `Sysctl=name=value`. + +This is a space separated list of kernel parameters. This key can be listed multiple times. + +For example: +``` +Sysctl=net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.all.use_tempaddr=1 +``` + ### `Tmpfs=` Mount a tmpfs in the container. This is equivalent to the Podman `--tmpfs` option, and diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go index 27f337aaeb..d5bf6a2a56 100644 --- a/pkg/systemd/quadlet/quadlet.go +++ b/pkg/systemd/quadlet/quadlet.go @@ -94,6 +94,7 @@ const ( KeySecurityLabelLevel = "SecurityLabelLevel" KeySecurityLabelType = "SecurityLabelType" KeySecret = "Secret" + KeySysctl = "Sysctl" KeyTimezone = "Timezone" KeyTmpfs = "Tmpfs" KeyType = "Type" @@ -156,6 +157,7 @@ var ( KeySecurityLabelLevel: true, KeySecurityLabelType: true, KeySecret: true, + KeySysctl: true, KeyTmpfs: true, KeyTimezone: true, KeyUser: true, @@ -458,6 +460,11 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile podman.addf("--cap-add=%s", strings.ToLower(caps)) } + sysctl := container.LookupAllStrv(ContainerGroup, KeySysctl) + for _, sysctlItem := range sysctl { + podman.addf("--sysctl=%s", sysctlItem) + } + readOnly, ok := container.LookupBoolean(ContainerGroup, KeyReadOnly) if ok { podman.addBool("--read-only", readOnly) diff --git a/test/e2e/quadlet/sysctl.container b/test/e2e/quadlet/sysctl.container new file mode 100644 index 0000000000..7e9b9fb39e --- /dev/null +++ b/test/e2e/quadlet/sysctl.container @@ -0,0 +1,8 @@ +## assert-podman-args "--sysctl=net.ipv6.conf.all.disable_ipv6=1" +## assert-podman-args "--sysctl=net.ipv6.conf.all.use_tempaddr=1" +## assert-podman-args "--sysctl=net.ipv4.conf.lo.force_igmp_version=0" + +[Container] +Image=localhost/imagename +Sysctl=net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.all.use_tempaddr=1 +Sysctl=net.ipv4.conf.lo.force_igmp_version=0 diff --git a/test/e2e/quadlet_test.go b/test/e2e/quadlet_test.go index 4eb059e6a5..15b3221391 100644 --- a/test/e2e/quadlet_test.go +++ b/test/e2e/quadlet_test.go @@ -562,6 +562,7 @@ var _ = Describe("quadlet system generator", func() { Entry("readwrite-notmpfs.container", "readwrite-notmpfs.container"), Entry("seccomp.container", "seccomp.container"), Entry("shortname.container", "shortname.container"), + Entry("sysctl.container", "sysctl.container"), Entry("timezone.container", "timezone.container"), Entry("user.container", "user.container"), Entry("remap-manual.container", "remap-manual.container"),