Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEAT] Support sysctl configurations from Pod Spec #17464

Merged
merged 1 commit into from
Feb 17, 2023
Merged

[FEAT] Support sysctl configurations from Pod Spec #17464

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions pkg/specgen/generate/kube/kube.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,17 @@ func ToPodOpt(ctx context.Context, podName string, p entities.PodCreateOptions,
p.Net.DNSOptions = dnsOptions
}
}

if pscConfig := podYAML.Spec.SecurityContext; pscConfig != nil {
// Extract sysctl list from pod security context
if options := pscConfig.Sysctls; len(options) > 0 {
sysctlOptions := make([]string, 0, len(options))
for _, opts := range options {
sysctlOptions = append(sysctlOptions, opts.Name+"="+opts.Value)
}
p.Sysctl = sysctlOptions
}
}
return p, nil
}

Expand Down
4 changes: 4 additions & 0 deletions pkg/specgen/generate/pod_create.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,10 @@ func MapSpec(p *specgen.PodSpecGenerator) (*specgen.SpecGenerator, error) {
p.InfraContainerSpec.ConmonPidFile = p.InfraConmonPidFile
}

if p.Sysctl != nil && len(p.Sysctl) > 0 {
p.InfraContainerSpec.Sysctl = p.Sysctl
}

p.InfraContainerSpec.Image = p.InfraImage
return p.InfraContainerSpec, nil
}
Expand Down
68 changes: 68 additions & 0 deletions test/e2e/play_kube_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -967,6 +967,49 @@ spec:
command: ['sh', '-c', 'ls -l /proc/self/ns/ipc']
`

var podWithSysctlDefined = `
apiVersion: v1
kind: Pod
metadata:
name: test-sysctl
spec:
securityContext:
sysctls:
- name: kernel.msgmax
value: "65535"
- name: net.core.somaxconn
value: "65535"
containers:
- name: alpine
image: quay.io/libpod/alpine:latest
command:
- "/bin/sh"
- "-c"
- "sysctl kernel.msgmax;sysctl net.core.somaxconn"
`

var podWithSysctlHostNetDefined = `
apiVersion: v1
kind: Pod
metadata:
name: test-sysctl
spec:
securityContext:
sysctls:
- name: kernel.msgmax
value: "65535"
- name: net.core.somaxconn
value: "65535"
hostNetwork: true
containers:
- name: alpine
image: quay.io/libpod/alpine:latest
command:
- "/bin/sh"
- "-c"
- "sysctl kernel.msgmax"
`

var (
defaultCtrName = "testCtr"
defaultCtrCmd = []string{"top"}
Expand Down Expand Up @@ -5034,4 +5077,29 @@ spec:
Expect(inspect.OutputToString()).To(ContainSubstring("\"Aliases\": [ \"" + ctrName + "\""))
})

It("podman play kube test with sysctl defined", func() {
SkipIfRootless("Network sysctls are not available for rootless")
err := writeYaml(podWithSysctlDefined, kubeYaml)
Expect(err).ToNot(HaveOccurred())

kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
kube.WaitWithDefaultTimeout()
Expect(kube).Should(Exit(0))

logs := podmanTest.Podman([]string{"pod", "logs", "-c", "test-sysctl-alpine", "test-sysctl"})
logs.WaitWithDefaultTimeout()
Expect(logs).Should(Exit(0))
Expect(logs.OutputToString()).To(ContainSubstring("kernel.msgmax = 65535"))
Expect(logs.OutputToString()).To(ContainSubstring("net.core.somaxconn = 65535"))
})

It("podman play kube test with sysctl & host network defined", func() {
SkipIfRootless("Network sysctls are not available for rootless")
err := writeYaml(podWithSysctlHostNetDefined, kubeYaml)
Expect(err).ToNot(HaveOccurred())

kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
kube.WaitWithDefaultTimeout()
Expect(kube).Should(Exit(125))
})
Comment on lines +5096 to +5104
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't this test change the somaxconn value on the host, thus effecting all systems where this was run permanently? Tests should not change host behaviour. AFAIK having such a high value can be abused to create a DOS attack against the machine.
I recommend to use a safer sysctl for this test.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This testcase is to check the failure. We cannot set sysctl when host network is enabled.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh wait, right. sorry

})