Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for setting sysctl values in podman play kube manifests #16711

Closed
fpoirotte opened this issue Dec 2, 2022 · 8 comments · Fixed by #17464
Closed

Add support for setting sysctl values in podman play kube manifests #16711

fpoirotte opened this issue Dec 2, 2022 · 8 comments · Fixed by #17464
Assignees
@hasan4791
Labels
Good First Issue This issue would be a good issue for a first time contributor to undertake. kind/feature Categorizes issue or PR as related to a new feature. kube locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@fpoirotte
Copy link
Contributor

fpoirotte commented Dec 2, 2022
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

Please add support for securityContext.sysctls.name / securityContext.sysctls.value in podman play kube.
More information on the associated syntax can be found at https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#setting-sysctls-for-a-pod

Steps to reproduce the issue:

  1. Create sysctl.yaml with the following content:
apiVersion: v1
kind: Pod
metadata:
  name: sysctl
spec:
  restartPolicy: Never

  securityContext:
    sysctls:
    - name:  net.ipv4.icmp_echo_ignore_broadcasts
      value: 0

  containers:
  - name: alpine
    image: alpine:3.15
    command: ["/bin/sleep", "300"]

  1. Start the pod using that file: podman play kube sysctl.yaml and wait for the command's completion.

  2. In a new terminal, run podman exec -i sysctl-alpine sysctl net.ipv4.icmp_echo_ignore_broadcasts

Describe the results you received:
net.ipv4.icmp_echo_ignore_broadcasts = 1

Describe the results you expected:
net.ipv4.icmp_echo_ignore_broadcasts = 0

Additional information you deem important (e.g. issue happens only occasionally):

podman supports overriding (a subset of) sysctl settings when running a container (through podman run --sysctl name=value).
Running the same test with podman run gives the expected result:

$ podman run --name sysctl-ctr -d --rm --sysctl net.ipv4.icmp_echo_ignore_broadcasts=0 alpine:3.15 sleep 300 && podman exec -i sysctl-ctr sysctl net.ipv4.icmp_echo_ignore_broadcasts
7b0a282c4e53e25e135cb8ce441c7886936ee03c58840955a255cd1a00adbfc7
net.ipv4.icmp_echo_ignore_broadcasts = 0

Output of podman version:

Client:       Podman Engine
Version:      4.3.1
API Version:  4.3.1
Go Version:   go1.18.7
Built:        Fri Nov 11 16:24:13 2022
OS/Arch:      linux/amd64

Output of podman info:

host:
  arch: amd64
  buildahVersion: 1.28.0
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.4-3.fc36.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.4, commit: '
  cpuUtilization:
    idlePercent: 53.19
    systemPercent: 11.94
    userPercent: 34.87
  cpus: 8
  distribution:
    distribution: fedora
    variant: workstation
    version: "36"
  eventLogger: file
  hostname: myhost
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1501
      size: 1
    - container_id: 1
      host_id: 7000000
      size: 8665536
    uidmap:
    - container_id: 0
      host_id: 1234
      size: 1
    - container_id: 1
      host_id: 7000000
      size: 8665536
  kernel: 6.0.7-200.fc36.x86_64
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 4573777920
  memTotal: 16622600192
  networkBackend: cni
  ociRuntime:
    name: crun
    package: crun-1.6-2.fc36.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.6
      commit: 18cf2efbb8feb2b2f20e316520e0fd0b6c41ef4d
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1234/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-0.2.beta.0.fc36.x86_64
    version: |-
      slirp4netns version 1.2.0-beta.0
      commit: 477db14a24ff1a3de3a705e51ca2c4c1fe3dda64
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.3
  swapFree: 12448526336
  swapTotal: 17179860992
  uptime: 261h 38m 27.00s (Approximately 10.88 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/me/.config/containers/storage.conf
  containerStore:
    number: 3
    paused: 0
    running: 0
    stopped: 3
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/me/.local/share/containers/storage
  graphRootAllocated: 229198450688
  graphRootUsed: 181539045376
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 420
  runRoot: /run/user/1234/containers
  volumePath: /home/me/.local/share/containers/storage/volumes
version:
  APIVersion: 4.3.1
  Built: 1668180253
  BuiltTime: Fri Nov 11 16:24:13 2022
  GitCommit: ""
  GoVersion: go1.18.7
  Os: linux
  OsArch: linux/amd64
  Version: 4.3.1

Package info (e.g. output of rpm -q podman or apt list podman or brew info podman):

podman-4.3.1-1.fc36.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

physical environment
@openshift-ci openshift-ci bot added the kind/feature Categorizes issue or PR as related to a new feature. label Dec 2, 2022
@github-actions
Copy link

github-actions bot commented Jan 2, 2023

A friendly reminder that this issue had no activity for 30 days.

@jwillikers
Copy link
Contributor

This would be great!

@rhatdan rhatdan added kube and removed stale-issue labels Feb 8, 2023
@rhatdan
Copy link
Member

rhatdan commented Feb 8, 2023

Anyone interested in opening a PR?

@rhatdan rhatdan added the Good First Issue This issue would be a good issue for a first time contributor to undertake. label Feb 8, 2023
@hasan4791
Copy link
Contributor

I'll take a look at this one
/assign

@hasan4791
Copy link
Contributor

hasan4791 commented Feb 10, 2023
edited
Loading 

    securityContext:
      sysctls:
      - name:  net.ipv4.icmp_echo_ignore_broadcasts
        value: 0

Looks like, these configurations should go inside pod spec rather than container spec.

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#podsecuritycontext-v1-core
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#securitycontext-v1-core

@hasan4791 hasan4791 mentioned this issue Feb 10, 2023
Merged
@ygalblum
Copy link
Contributor

Actually it may be configured at both levels: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

@hasan4791
Copy link
Contributor

Actually it may be configured at both levels: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

SecurityContext is configured at both levels, but the sysctl configuration is defined in podsecuritycontext.

@fpoirotte
Copy link
Contributor Author

Indeed, only the pod's securityContext can be used to set sysctl settings.
I've updated my initial post to reflect that.
Thanks again for pointing that out!

hasan4791 added a commit to hasan4791/podman that referenced this issue Feb 16, 2023
@hasan4791
Support sysctl configs via podman kube play
94d4b52 
Support sysctl configuration from Pod spec via podman kube play CLI

Closes containers#16711

Signed-off-by: T K Chandra Hasan <[email protected]>
@wehagy wehagy mentioned this issue Aug 26, 2023
Merged
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 1, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 1, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@hasan4791 hasan4791

Labels
Good First Issue This issue would be a good issue for a first time contributor to undertake. kind/feature Categorizes issue or PR as related to a new feature. kube locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[FEAT] Support sysctl configurations from Pod Spec hasan4791/podman
5 participants
@fpoirotte @rhatdan @ygalblum @jwillikers @hasan4791