feature: sysctl configuration for both cri manager and container manager

Signed-off-by: YaoZengzeng <[email protected]>
AliyunContainerService · Jan 29, 2018 · 479687c · 479687c
1 parent 600275e
commit 479687c
Show file tree

Hide file tree

Showing 8 changed files with 76 additions and 1 deletion.
diff --git a/cli/container.go b/cli/container.go
@@ -34,6 +34,7 @@ type container struct {
 	ipcMode          string
 	pidMode          string
 	utsMode          string
+	sysctls			 []string
 }
 
 func (c *container) config() (*types.ContainerCreateConfig, error) {
@@ -66,6 +67,11 @@ func (c *container) config() (*types.ContainerCreateConfig, error) {
 		return nil, err
 	}
 
+	sysctls, err := parseSysctls(c.sysctls)
+	if err != nil {
+		return nil, err
+	}
+
 	config := &types.ContainerCreateConfig{
 		ContainerConfig: types.ContainerConfig{
 			Tty:        c.tty,
@@ -93,12 +99,26 @@ func (c *container) config() (*types.ContainerCreateConfig, error) {
 			IpcMode:       c.ipcMode,
 			PidMode:       c.pidMode,
 			UTSMode:       c.utsMode,
+			Sysctls:	   sysctls,
 		},
 	}
 
 	return config, nil
 }
 
+func parseSysctls(sysctls []string) (map[string]string, error) {
+	results := make(map[string]string)
+	for _, sysctl := range sysctls {
+		fields := strings.SplitN(sysctl, "=", 2)
+		if len(fields) != 2 {
+			return nil, fmt.Errorf("invalid sysctl: %s", sysctl)
+		}
+		k, v := fields[0], fields[1]
+		results[k] = v
+	}
+	return results, nil
+}
+
 func parseLabels(labels []string) (map[string]string, error) {
 	results := make(map[string]string)
 	for _, label := range labels {

diff --git a/cli/create.go b/cli/create.go
@@ -61,6 +61,7 @@ func (cc *CreateCommand) addFlags() {
 	flagSet.StringVar(&cc.ipcMode, "ipc", "", "IPC namespace to use")
 	flagSet.StringVar(&cc.pidMode, "pid", "", "PID namespace to use")
 	flagSet.StringVar(&cc.utsMode, "uts", "", "UTS namespace to use")
+	flagSet.StringSliceVar(&cc.sysctls, "sysctl", nil, "Sysctl options")
 }
 
 // runCreate is the entry of create command.

diff --git a/cli/run.go b/cli/run.go
@@ -70,6 +70,7 @@ func (rc *RunCommand) addFlags() {
 	flagSet.StringVar(&rc.ipcMode, "ipc", "", "IPC namespace to use")
 	flagSet.StringVar(&rc.pidMode, "pid", "", "PID namespace to use")
 	flagSet.StringVar(&rc.utsMode, "uts", "", "UTS namespace to use")
+	flagSet.StringSliceVar(&rc.sysctls, "sysctl", nil, "Sysctl options")
 }
 
 // runRun is the entry of run command.

diff --git a/daemon/mgr/cri_utils.go b/daemon/mgr/cri_utils.go
@@ -130,6 +130,17 @@ func parseSandboxName(name string) (*runtime.PodSandboxMetadata, error) {
 	}, nil
 }
 
+// applySandboxLinuxOptions applies LinuxPodSandboxConfig to pouch's HostConfig and ContainerCreateConfig.
+func applySandboxLinuxOptions(hc *apitypes.HostConfig, lc *runtime.LinuxPodSandboxConfig, createConfig *apitypes.ContainerCreateConfig, image string) error {
+	if lc == nil {
+		return nil
+	}
+
+	// Set sysctls.
+	hc.Sysctls = lc.Sysctls
+	return nil
+}
+
 // makeSandboxPouchConfig returns apitypes.ContainerCreateConfig based on runtimeapi.PodSandboxConfig.
 func makeSandboxPouchConfig(config *runtime.PodSandboxConfig, image string) (*apitypes.ContainerCreateConfig, error) {
 	// Merge annotations and labels because pouch supports only labels.
@@ -148,6 +159,12 @@ func makeSandboxPouchConfig(config *runtime.PodSandboxConfig, image string) (*ap
 		NetworkingConfig: &apitypes.NetworkingConfig{},
 	}
 
+	// Apply linux-specific options.
+	err := applySandboxLinuxOptions(hc, config.GetLinux(), createConfig, image)
+	if err != nil {
+		return nil, err
+	}
+
 	return createConfig, nil
 }
 

diff --git a/daemon/mgr/spec.go b/daemon/mgr/spec.go
@@ -49,6 +49,9 @@ var setupFunc = []SetupFunc{
 
 	// host device spec
 	setupDevices,
+
+	// linux-platform-specifc spec
+	setupSysctl,
 }
 
 // Register is used to registe spec setup function.

diff --git a/daemon/mgr/spec_linux.go b/daemon/mgr/spec_linux.go
@@ -0,0 +1,12 @@
+package mgr
+
+import (
+	"context"
+)
+
+// Setup linux-platform-sepecific specification.
+
+func setupSysctl(ctx context.Context, meta *ContainerMeta, spec *SpecWrapper) error {
+	spec.s.Linux.Sysctl = meta.HostConfig.Sysctls
+	return nil
+}
diff --git a/hack/cri-test/test-cri.sh b/hack/cri-test/test-cri.sh
@@ -23,7 +23,7 @@ POUCH_SOCK="/var/run/pouchcri.sock"
 
 # CRI_FOCUS focuses the test to run.
 # With the CRI manager completes its function, we may need to expand this field.
-CRI_FOCUS=${CRI_FOCUS:-"basic operations on PodSandbox|basic operations on container|runtime info"}
+CRI_FOCUS=${CRI_FOCUS:-"PodSandbox|basic operations on container|Runtime info"}
 
 # CRI_SKIP skips the test to skip.
 CRI_SKIP=${CRI_SKIP:-""}

diff --git a/test/cli_create_test.go b/test/cli_create_test.go
@@ -118,6 +118,27 @@ func (suite *PouchCreateSuite) TestCreateWithLabels(c *check.C) {
 	}
 }
 
+// TestCreateWithSysctls tries to test create a container with sysctls.
+func (suite *PouchCreateSuite) TestCreateWithSysctls(c *check.C) {
+	sysctl := "net.ipv4.ip_forward=1"
+	name := "create-sysctl"
+
+	res := command.PouchRun("create", "--name", name, "--sysctl", sysctl, busyboxImage)
+	res.Assert(c, icmd.Success)
+
+	output := command.PouchRun("inspect", name).Stdout()
+
+	result := &types.ContainerJSON{}
+	if err := json.Unmarshal([]byte(output), result); err != nil {
+		c.Errorf("failed to decode inspect output: %v", err)
+	}
+	c.Assert(result.HostConfig.Sysctls, check.NotNil)
+
+	if result.HostConfig.Sysctls["net.ipv4.ip_forward"] != "1" {
+		c.Errorf("failed to set sysctl: %s", sysctl)
+	}
+}
+
 // TestCreateEnableLxcfs tries to test create a container with lxcfs.
 func (suite *PouchCreateSuite) TestCreateEnableLxcfs(c *check.C) {
 	name := "create-lxcfs"