diff --git a/pkg/config/sysctl.go b/pkg/config/sysctl.go index cfb7a013746..662b64479f7 100644 --- a/pkg/config/sysctl.go +++ b/pkg/config/sysctl.go @@ -6,6 +6,10 @@ import ( "github.com/pkg/errors" ) +func NewSysctl(key, value string) *Sysctl { + return &Sysctl{key, value} +} + // Sysctl is a generic abstraction over key value based sysctls type Sysctl struct { key, value string diff --git a/server/sandbox_run_linux.go b/server/sandbox_run_linux.go index c7a1df7a280..70e6494fda7 100644 --- a/server/sandbox_run_linux.go +++ b/server/sandbox_run_linux.go @@ -1080,7 +1080,7 @@ func (s *Server) configureGeneratorForSysctls(ctx context.Context, g generate.Ge for _, sysctl := range defaultSysctls { if err := sysctl.Validate(hostNetwork, hostIPC); err != nil { - log.Warnf(ctx, "skipping invalid sysctl %s: %v", sysctl, err) + log.Warnf(ctx, "Skipping invalid sysctl specified by config %s: %v", sysctl, err) continue } g.AddLinuxSysctl(sysctl.Key(), sysctl.Value()) @@ -1090,6 +1090,11 @@ func (s *Server) configureGeneratorForSysctls(ctx context.Context, g generate.Ge // extract linux sysctls from annotations and pass down to oci runtime // Will override any duplicate default systcl from crio.conf for key, value := range sysctls { + sysctl := libconfig.NewSysctl(key, value) + if err := sysctl.Validate(hostNetwork, hostIPC); err != nil { + log.Warnf(ctx, "Skipping invalid sysctl specified over CRI %s: %v", sysctl, err) + continue + } g.AddLinuxSysctl(key, value) sysctlsToReturn[key] = value } diff --git a/test/pod.bats b/test/pod.bats index 3bb1bf3a0a1..bc22dc551e0 100644 --- a/test/pod.bats +++ b/test/pod.bats @@ -156,6 +156,39 @@ function teardown() { [[ "$output" == *"net.ipv4.ip_forward = 1"* ]] } +@test "skip pod sysctls to runtime if host" { + if test -n "$CONTAINER_UID_MAPPINGS"; then + skip "userNS enabled" + fi + CONTAINER_DEFAULT_SYSCTLS="net.ipv4.ip_forward=0" start_crio + + jq ' .linux.security_context.namespace_options = { + network: 2, + ipc: 2 + } | + .linux.sysctls = { + "kernel.shm_rmid_forced": "1", + "net.ipv4.ip_local_port_range": "2048 65000", + "kernel.msgmax": "16384" + }' "$TESTDATA"/sandbox_config.json > "$TESTDIR"/sandbox.json + + pod_id=$(crictl runp "$TESTDIR"/sandbox.json) + ctr_id=$(crictl create "$pod_id" "$TESTDATA"/container_redis.json "$TESTDIR"/sandbox.json) + crictl start "$ctr_id" + + output=$(crictl exec --sync "$ctr_id" sysctl kernel.shm_rmid_forced) + [[ "$output" != *"kernel.shm_rmid_forced = 1"* ]] + + output=$(crictl exec --sync "$ctr_id" sysctl kernel.msgmax) + [[ "$output" != *"kernel.msgmax = 16384"* ]] + + output=$(crictl exec --sync "$ctr_id" sysctl net.ipv4.ip_local_port_range) + [[ "$output" != *"net.ipv4.ip_local_port_range = 2048 65000"* ]] + + output=$(crictl exec --sync "$ctr_id" sysctl net.ipv4.ip_forward) + [[ "$output" != *"net.ipv4.ip_forward = 0"* ]] +} + @test "pod stop idempotent" { start_crio pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json)