Merge pull request #17464 from hasan4791/issue-16711

[FEAT] Support sysctl configurations from Pod Spec
containers · Feb 17, 2023 · f9af496 · f9af496
2 parents 33622f7 + 94d4b52
commit f9af496
Show file tree

Hide file tree

Showing 3 changed files with 83 additions and 0 deletions.
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
@@ -107,6 +107,17 @@ func ToPodOpt(ctx context.Context, podName string, p entities.PodCreateOptions,
 			p.Net.DNSOptions = dnsOptions
 		}
 	}
+
+	if pscConfig := podYAML.Spec.SecurityContext; pscConfig != nil {
+		// Extract sysctl list from pod security context
+		if options := pscConfig.Sysctls; len(options) > 0 {
+			sysctlOptions := make([]string, 0, len(options))
+			for _, opts := range options {
+				sysctlOptions = append(sysctlOptions, opts.Name+"="+opts.Value)
+			}
+			p.Sysctl = sysctlOptions
+		}
+	}
 	return p, nil
 }
 

diff --git a/pkg/specgen/generate/pod_create.go b/pkg/specgen/generate/pod_create.go
@@ -264,6 +264,10 @@ func MapSpec(p *specgen.PodSpecGenerator) (*specgen.SpecGenerator, error) {
 		p.InfraContainerSpec.ConmonPidFile = p.InfraConmonPidFile
 	}
 
+	if p.Sysctl != nil && len(p.Sysctl) > 0 {
+		p.InfraContainerSpec.Sysctl = p.Sysctl
+	}
+
 	p.InfraContainerSpec.Image = p.InfraImage
 	return p.InfraContainerSpec, nil
 }

diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
@@ -967,6 +967,49 @@ spec:
     command: ['sh', '-c', 'ls -l /proc/self/ns/ipc']
 `
 
+var podWithSysctlDefined = `
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-sysctl
+spec:
+  securityContext:
+    sysctls:
+    - name: kernel.msgmax
+      value: "65535"
+    - name: net.core.somaxconn
+      value: "65535"
+  containers:
+  - name: alpine
+    image: quay.io/libpod/alpine:latest
+    command:
+    - "/bin/sh"
+    - "-c"
+    - "sysctl kernel.msgmax;sysctl net.core.somaxconn"
+`
+
+var podWithSysctlHostNetDefined = `
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-sysctl
+spec:
+  securityContext:
+    sysctls:
+    - name: kernel.msgmax
+      value: "65535"
+    - name: net.core.somaxconn
+      value: "65535"
+  hostNetwork: true
+  containers:
+  - name: alpine
+    image: quay.io/libpod/alpine:latest
+    command:
+    - "/bin/sh"
+    - "-c"
+    - "sysctl kernel.msgmax"
+`
+
 var (
 	defaultCtrName        = "testCtr"
 	defaultCtrCmd         = []string{"top"}
@@ -5034,4 +5077,29 @@ spec:
 		Expect(inspect.OutputToString()).To(ContainSubstring("\"Aliases\": [ \"" + ctrName + "\""))
 	})
 
+	It("podman play kube test with sysctl defined", func() {
+		SkipIfRootless("Network sysctls are not available for rootless")
+		err := writeYaml(podWithSysctlDefined, kubeYaml)
+		Expect(err).ToNot(HaveOccurred())
+
+		kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
+		kube.WaitWithDefaultTimeout()
+		Expect(kube).Should(Exit(0))
+
+		logs := podmanTest.Podman([]string{"pod", "logs", "-c", "test-sysctl-alpine", "test-sysctl"})
+		logs.WaitWithDefaultTimeout()
+		Expect(logs).Should(Exit(0))
+		Expect(logs.OutputToString()).To(ContainSubstring("kernel.msgmax = 65535"))
+		Expect(logs.OutputToString()).To(ContainSubstring("net.core.somaxconn = 65535"))
+	})
+
+	It("podman play kube test with sysctl & host network defined", func() {
+		SkipIfRootless("Network sysctls are not available for rootless")
+		err := writeYaml(podWithSysctlHostNetDefined, kubeYaml)
+		Expect(err).ToNot(HaveOccurred())
+
+		kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
+		kube.WaitWithDefaultTimeout()
+		Expect(kube).Should(Exit(125))
+	})
 })