diff options
| -rw-r--r-- | cmd/podman/common/create.go | 19 | ||||
| -rw-r--r-- | docs/source/markdown/podman-pod-create.1.md | 22 | ||||
| -rw-r--r-- | pkg/domain/entities/pods.go | 12 | ||||
| -rw-r--r-- | pkg/specgen/podspecgen.go | 2 | ||||
| -rw-r--r-- | test/e2e/pod_create_test.go | 39 |
5 files changed, 84 insertions, 10 deletions
diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go index b60169990..e95e447e1 100644 --- a/cmd/podman/common/create.go +++ b/cmd/podman/common/create.go @@ -563,15 +563,6 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions, ) _ = cmd.RegisterFlagCompletionFunc(stopTimeoutFlagName, completion.AutocompleteNone) - sysctlFlagName := "sysctl" - createFlags.StringSliceVar( - &cf.Sysctl, - sysctlFlagName, []string{}, - "Sysctl options", - ) - //TODO: Add function for sysctl completion. - _ = cmd.RegisterFlagCompletionFunc(sysctlFlagName, completion.AutocompleteNone) - systemdFlagName := "systemd" createFlags.StringVar( &cf.Systemd, @@ -712,6 +703,16 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions, `If a container with the same name exists, replace it`, ) } + + sysctlFlagName := "sysctl" + createFlags.StringSliceVar( + &cf.Sysctl, + sysctlFlagName, []string{}, + "Sysctl options", + ) + //TODO: Add function for sysctl completion. + _ = cmd.RegisterFlagCompletionFunc(sysctlFlagName, completion.AutocompleteNone) + securityOptFlagName := "security-opt" createFlags.StringArrayVar( &cf.SecurityOpt, diff --git a/docs/source/markdown/podman-pod-create.1.md b/docs/source/markdown/podman-pod-create.1.md index b2e16e051..c9255d37f 100644 --- a/docs/source/markdown/podman-pod-create.1.md +++ b/docs/source/markdown/podman-pod-create.1.md @@ -276,6 +276,28 @@ podman generates a UUID for each pod, and if a name is not assigned to the container with **--name** then a random string name will be generated for it. The name is useful any place you need to identify a pod. +#### **--sysctl**=_name_=_value_ + +Configure namespace kernel parameters for all containers in the pod. + +For the IPC namespace, the following sysctls are allowed: + +- kernel.msgmax +- kernel.msgmnb +- kernel.msgmni +- kernel.sem +- kernel.shmall +- kernel.shmmax +- kernel.shmmni +- kernel.shm_rmid_forced +- Sysctls beginning with fs.mqueue.\* + +Note: if the ipc namespace is not shared within the pod, these sysctls are not allowed. + +For the network namespace, only sysctls beginning with net.\* are allowed. + +Note: if the network namespace is not shared within the pod, these sysctls are not allowed. + #### **--userns**=*mode* Set the user namespace mode for all the containers in a pod. It defaults to the **PODMAN_USERNS** environment variable. An empty value ("") means user namespaces are disabled. diff --git a/pkg/domain/entities/pods.go b/pkg/domain/entities/pods.go index 1b5a1be51..cc9476d79 100644 --- a/pkg/domain/entities/pods.go +++ b/pkg/domain/entities/pods.go @@ -139,6 +139,7 @@ type PodCreateOptions struct { Volume []string `json:"volume,omitempty"` VolumesFrom []string `json:"volumes_from,omitempty"` SecurityOpt []string `json:"security_opt,omitempty"` + Sysctl []string `json:"sysctl,omitempty"` } // PodLogsOptions describes the options to extract pod logs. @@ -240,7 +241,7 @@ type ContainerCreateOptions struct { StorageOpts []string SubUIDName string SubGIDName string - Sysctl []string + Sysctl []string `json:"sysctl,omitempty"` Systemd string Timeout uint TLSVerify commonFlag.OptionalBool @@ -360,6 +361,15 @@ func ToPodSpecGen(s specgen.PodSpecGenerator, p *PodCreateOptions) (*specgen.Pod } } s.Userns = p.Userns + sysctl := map[string]string{} + if ctl := p.Sysctl; len(ctl) > 0 { + sysctl, err = util.ValidateSysctls(ctl) + if err != nil { + return nil, err + } + } + s.Sysctl = sysctl + return &s, nil } diff --git a/pkg/specgen/podspecgen.go b/pkg/specgen/podspecgen.go index 33e8422fd..a18364882 100644 --- a/pkg/specgen/podspecgen.go +++ b/pkg/specgen/podspecgen.go @@ -74,6 +74,8 @@ type PodBasicConfig struct { Userns Namespace `json:"userns,omitempty"` // Devices contains user specified Devices to be added to the Pod Devices []string `json:"pod_devices,omitempty"` + // Sysctl sets kernel parameters for the pod + Sysctl map[string]string `json:"sysctl,omitempty"` } // PodNetworkConfig contains networking configuration for a pod. diff --git a/test/e2e/pod_create_test.go b/test/e2e/pod_create_test.go index fab107af8..623377ea1 100644 --- a/test/e2e/pod_create_test.go +++ b/test/e2e/pod_create_test.go @@ -1029,4 +1029,43 @@ ENTRYPOINT ["sleep","99999"] Expect(inspect[0].AppArmorProfile).To(Equal(apparmor.Profile)) }) + + It("podman pod create --sysctl test", func() { + SkipIfRootless("Network sysctls are not available root rootless") + podCreate := podmanTest.Podman([]string{"pod", "create", "--sysctl", "net.core.somaxconn=65535"}) + podCreate.WaitWithDefaultTimeout() + Expect(podCreate).Should(Exit(0)) + session := podmanTest.Podman([]string{"run", "--pod", podCreate.OutputToString(), "--rm", ALPINE, "sysctl", "net.core.somaxconn"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + Expect(session.OutputToString()).To(ContainSubstring("net.core.somaxconn = 65535")) + + // if not sharing the net NS, nothing should fail, but the sysctl should not be passed + podCreate = podmanTest.Podman([]string{"pod", "create", "--share", "pid", "--sysctl", "net.core.somaxconn=65535"}) + podCreate.WaitWithDefaultTimeout() + Expect(podCreate).Should(Exit(0)) + session = podmanTest.Podman([]string{"run", "--pod", podCreate.OutputToString(), "--rm", ALPINE, "sysctl", "net.core.somaxconn"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + Expect(session.OutputToString()).NotTo(ContainSubstring("net.core.somaxconn = 65535")) + + // one other misc option + podCreate = podmanTest.Podman([]string{"pod", "create", "--sysctl", "kernel.msgmax=65535"}) + podCreate.WaitWithDefaultTimeout() + Expect(podCreate).Should(Exit(0)) + session = podmanTest.Podman([]string{"run", "--pod", podCreate.OutputToString(), "--rm", ALPINE, "sysctl", "kernel.msgmax"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + Expect(session.OutputToString()).To(ContainSubstring("kernel.msgmax = 65535")) + + podCreate = podmanTest.Podman([]string{"pod", "create", "--share", "pid", "--sysctl", "kernel.msgmax=65535"}) + podCreate.WaitWithDefaultTimeout() + Expect(podCreate).Should(Exit(0)) + session = podmanTest.Podman([]string{"run", "--pod", podCreate.OutputToString(), "--rm", ALPINE, "sysctl", "kernel.msgmax"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + Expect(session.OutputToString()).NotTo(ContainSubstring("kernel.msgmax = 65535")) + + }) + }) |