Skip to content

Commit

Permalink
Quadlet: Add support for --sysctl flag
Browse files Browse the repository at this point in the history
The Sysctl=name=value entry can be used to set --sysctl=name=value
directly without the need to use PodmanArgs=--sysctl=name=value.

Signed-off-by: Laurenz Kruty <[email protected]>
  • Loading branch information
LauKr committed Jun 8, 2023
1 parent 57797d8 commit b37f74b
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 0 deletions.
12 changes: 12 additions & 0 deletions docs/source/markdown/podman-systemd.unit.5.md
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ Valid options for `[Container]` are listed below:
| SecurityLabelFileType=usr_t | --security-opt label=filetype:usr_t |
| SecurityLabelLevel=s0:c1,c2 | --security-opt label=level:s0:c1,c2 |
| SecurityLabelType=spc_t | --security-opt label=type:spc_t |
| Sysctl=name=value | --sysctl=name=value |
| Timezone=local | --tz local |
| Tmpfs=/work | --tmpfs /work |
| User=bin | --user bin |
Expand Down Expand Up @@ -428,6 +429,17 @@ Set the label process type for the container processes.
Use a Podman secret in the container either as a file or an environment variable.
This is equivalent to the Podman `--secret` option and generally has the form `secret[,opt=opt ...]`

### `Sysctl=`

Configures namespaced kernel parameters for the container. The format is `Sysctl=name=value`.

This is a space separated list of kernel parameters. This key can be listed multiple times.

For example:
```
Sysctl=net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.all.use_tempaddr=1
```

### `Tmpfs=`

Mount a tmpfs in the container. This is equivalent to the Podman `--tmpfs` option, and
Expand Down
7 changes: 7 additions & 0 deletions pkg/systemd/quadlet/quadlet.go
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@ const (
KeySecurityLabelLevel = "SecurityLabelLevel"
KeySecurityLabelType = "SecurityLabelType"
KeySecret = "Secret"
KeySysctl = "Sysctl"
KeyTimezone = "Timezone"
KeyTmpfs = "Tmpfs"
KeyType = "Type"
Expand Down Expand Up @@ -156,6 +157,7 @@ var (
KeySecurityLabelLevel: true,
KeySecurityLabelType: true,
KeySecret: true,
KeySysctl: true,
KeyTmpfs: true,
KeyTimezone: true,
KeyUser: true,
Expand Down Expand Up @@ -458,6 +460,11 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
podman.addf("--cap-add=%s", strings.ToLower(caps))
}

sysctl := container.LookupAllStrv(ContainerGroup, KeySysctl)
for _, sysctlItem := range sysctl {
podman.addf("--sysctl=%s", sysctlItem)
}

readOnly, ok := container.LookupBoolean(ContainerGroup, KeyReadOnly)
if ok {
podman.addBool("--read-only", readOnly)
Expand Down
8 changes: 8 additions & 0 deletions test/e2e/quadlet/sysctl.container
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
## assert-podman-args "--sysctl=net.ipv6.conf.all.disable_ipv6=1"
## assert-podman-args "--sysctl=net.ipv6.conf.all.use_tempaddr=1"
## assert-podman-args "--sysctl=net.ipv4.conf.lo.force_igmp_version=0"

[Container]
Image=localhost/imagename
Sysctl=net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.all.use_tempaddr=1
Sysctl=net.ipv4.conf.lo.force_igmp_version=0
1 change: 1 addition & 0 deletions test/e2e/quadlet_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -562,6 +562,7 @@ var _ = Describe("quadlet system generator", func() {
Entry("readwrite-notmpfs.container", "readwrite-notmpfs.container"),
Entry("seccomp.container", "seccomp.container"),
Entry("shortname.container", "shortname.container"),
Entry("sysctl.container", "sysctl.container"),
Entry("timezone.container", "timezone.container"),
Entry("user.container", "user.container"),
Entry("remap-manual.container", "remap-manual.container"),
Expand Down

0 comments on commit b37f74b

Please sign in to comment.