diff --git a/server/sandbox_run_linux.go b/server/sandbox_run_linux.go index 4b75a128acd..b18d45239e6 100644 --- a/server/sandbox_run_linux.go +++ b/server/sandbox_run_linux.go @@ -1018,7 +1018,7 @@ func (s *Server) configureGeneratorForSysctls(ctx context.Context, g *generate.G for _, sysctl := range defaultSysctls { if err := sysctl.Validate(hostNetwork, hostIPC); err != nil { - log.Warnf(ctx, "Skipping invalid sysctl %s: %v", sysctl, err) + log.Warnf(ctx, "Skipping invalid sysctl specified by config %s: %v", sysctl, err) continue } g.AddLinuxSysctl(sysctl.Key(), sysctl.Value()) @@ -1028,6 +1028,11 @@ func (s *Server) configureGeneratorForSysctls(ctx context.Context, g *generate.G // extract linux sysctls from annotations and pass down to oci runtime // Will override any duplicate default systcl from crio.conf for key, value := range sysctls { + sysctl := libconfig.NewSysctl(key, value) + if err := sysctl.Validate(hostNetwork, hostIPC); err != nil { + log.Warnf(ctx, "Skipping invalid sysctl specified over CRI %s: %v", sysctl, err) + continue + } g.AddLinuxSysctl(key, value) sysctlsToReturn[key] = value } diff --git a/test/pod.bats b/test/pod.bats index 3bb1bf3a0a1..bc22dc551e0 100644 --- a/test/pod.bats +++ b/test/pod.bats @@ -156,6 +156,39 @@ function teardown() { [[ "$output" == *"net.ipv4.ip_forward = 1"* ]] } +@test "skip pod sysctls to runtime if host" { + if test -n "$CONTAINER_UID_MAPPINGS"; then + skip "userNS enabled" + fi + CONTAINER_DEFAULT_SYSCTLS="net.ipv4.ip_forward=0" start_crio + + jq ' .linux.security_context.namespace_options = { + network: 2, + ipc: 2 + } | + .linux.sysctls = { + "kernel.shm_rmid_forced": "1", + "net.ipv4.ip_local_port_range": "2048 65000", + "kernel.msgmax": "16384" + }' "$TESTDATA"/sandbox_config.json > "$TESTDIR"/sandbox.json + + pod_id=$(crictl runp "$TESTDIR"/sandbox.json) + ctr_id=$(crictl create "$pod_id" "$TESTDATA"/container_redis.json "$TESTDIR"/sandbox.json) + crictl start "$ctr_id" + + output=$(crictl exec --sync "$ctr_id" sysctl kernel.shm_rmid_forced) + [[ "$output" != *"kernel.shm_rmid_forced = 1"* ]] + + output=$(crictl exec --sync "$ctr_id" sysctl kernel.msgmax) + [[ "$output" != *"kernel.msgmax = 16384"* ]] + + output=$(crictl exec --sync "$ctr_id" sysctl net.ipv4.ip_local_port_range) + [[ "$output" != *"net.ipv4.ip_local_port_range = 2048 65000"* ]] + + output=$(crictl exec --sync "$ctr_id" sysctl net.ipv4.ip_forward) + [[ "$output" != *"net.ipv4.ip_forward = 0"* ]] +} + @test "pod stop idempotent" { start_crio pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json)