api: apply sysctl adjustments

samuelkarp · samuelkarp · commit a4189560f80f · 2025-12-01T12:25:16.000-08:00
Signed-off-by: Samuel Karp &lt;samuelkarp@google.com&gt;
diff --git a/pkg/adaptation/result.go b/pkg/adaptation/result.go
@@ -235,6 +235,9 @@ func (r *result) adjust(rpl *ContainerAdjustment, plugin string) error {
 		if err := r.adjustNamespaces(rpl.Linux.Namespaces, plugin); err != nil {
 			return err
 		}
+		if err := r.adjustSysctl(rpl.Linux.Sysctl, plugin); err != nil {
+			return err
+		}
 	}
 	if err := r.adjustRlimits(rpl.Rlimits, plugin); err != nil {
 		return err
@@ -451,6 +454,41 @@ func (r *result) adjustNamespaces(namespaces []*LinuxNamespace, plugin string) e
 	return nil
 }
 
+func (r *result) adjustSysctl(sysctl map[string]string, plugin string) error {
+	if len(sysctl) == 0 {
+		return nil
+	}
+
+	create, id := r.request.create, r.request.create.Container.Id
+	del := map[string]struct{}{}
+	for k := range sysctl {
+		if key, marked := IsMarkedForRemoval(k); marked {
+			del[key] = struct{}{}
+			delete(sysctl, k)
+		}
+	}
+
+	for k, v := range sysctl {
+		if _, ok := del[k]; ok {
+			r.owners.ClearSysctl(id, k, plugin)
+			delete(create.Container.Linux.Sysctl, k)
+			r.reply.adjust.Linux.Sysctl[MarkForRemoval(k)] = ""
+		}
+		if err := r.owners.ClaimSysctl(id, k, plugin); err != nil {
+			return err
+		}
+		create.Container.Linux.Sysctl[k] = v
+		r.reply.adjust.Linux.Sysctl[k] = v
+		delete(del, k)
+	}
+
+	for k := range del {
+		r.reply.adjust.Annotations[MarkForRemoval(k)] = ""
+	}
+
+	return nil
+}
+
 func (r *result) adjustCDIDevices(devices []*CDIDevice, plugin string) error {
 	if len(devices) == 0 {
 		return nil
diff --git a/pkg/api/adjustment.go b/pkg/api/adjustment.go
@@ -310,6 +310,15 @@ func (a *ContainerAdjustment) SetLinuxSeccompPolicy(seccomp *LinuxSeccomp) {
 	a.Linux.SeccompPolicy = seccomp
 }
 
+// SetLinuxSysctl records setting a sysctl for a container.
+func (a *ContainerAdjustment) SetLinuxSysctl(key, value string) {
+	a.initLinux()
+	if a.Linux.Sysctl == nil {
+		a.Linux.Sysctl = make(map[string]string)
+	}
+	a.Linux.Sysctl[key] = value
+}
+
 //
 // Initializing a container adjustment and container update.
 //
diff --git a/pkg/api/owners.go b/pkg/api/owners.go
@@ -172,6 +172,10 @@ func (o *OwningPlugins) ClaimSeccompPolicy(id, plugin string) error {
 	return o.mustOwnersFor(id).ClaimSeccompPolicy(plugin)
 }
 
+func (o *OwningPlugins) ClaimSysctl(id, key, plugin string) error {
+	return o.mustOwnersFor(id).ClaimSysctl(key, plugin)
+}
+
 func (o *OwningPlugins) ClearAnnotation(id, key, plugin string) {
 	o.mustOwnersFor(id).ClearAnnotation(key, plugin)
 }
@@ -192,6 +196,10 @@ func (o *OwningPlugins) ClearArgs(id, plugin string) {
 	o.mustOwnersFor(id).ClearArgs(plugin)
 }
 
+func (o *OwningPlugins) ClearSysctl(id, key, plugin string) {
+	o.mustOwnersFor(id).ClearSysctl(key, plugin)
+}
+
 func (o *OwningPlugins) AnnotationOwner(id, key string) (string, bool) {
 	return o.ownersFor(id).compoundOwner(Field_Annotations.Key(), key)
 }
@@ -324,6 +332,10 @@ func (o *OwningPlugins) SeccompPolicyOwner(id string) (string, bool) {
 	return o.ownersFor(id).simpleOwner(Field_SeccompPolicy.Key())
 }
 
+func (o *OwningPlugins) SysctlOwner(id, key string) (string, bool) {
+	return o.ownersFor(id).compoundOwner(Field_Sysctl.Key(), key)
+}
+
 func (o *OwningPlugins) mustOwnersFor(id string) *FieldOwners {
 	f, ok := o.Owners[id]
 	if !ok {
@@ -546,6 +558,10 @@ func (f *FieldOwners) ClaimSeccompPolicy(plugin string) error {
 	return f.claimSimple(Field_SeccompPolicy.Key(), plugin)
 }
 
+func (f *FieldOwners) ClaimSysctl(key, plugin string) error {
+	return f.claimCompound(Field_Sysctl.Key(), key, plugin)
+}
+
 func (f *FieldOwners) clearCompound(field int32, key, plugin string) {
 	m, ok := f.Compound[field]
 	if !ok {
@@ -580,6 +596,10 @@ func (f *FieldOwners) ClearArgs(plugin string) {
 	f.clearSimple(Field_Args.Key(), plugin)
 }
 
+func (f *FieldOwners) ClearSysctl(key, plugin string) {
+	f.clearCompound(Field_Sysctl.Key(), key, plugin)
+}
+
 func (f *FieldOwners) Conflict(field int32, plugin, other string, qualifiers ...string) error {
 	return fmt.Errorf("plugins %q and %q both tried to set %s",
 		plugin, other, qualify(field, qualifiers...))
diff --git a/pkg/runtime-tools/generate/generate.go b/pkg/runtime-tools/generate/generate.go
@@ -47,13 +47,15 @@ type UnderlyingGenerator interface {
 	AddLinuxResourcesHugepageLimit(pageSize string, limit uint64)
 	AddLinuxResourcesUnified(key, val string)
 	AddMount(mnt rspec.Mount)
+	AddLinuxSysctl(key, value string)
 	ClearMounts()
 	ClearProcessEnv()
 	Mounts() []rspec.Mount
 	RemoveAnnotation(key string)
 	RemoveDevice(path string)
 	RemoveLinuxNamespace(ns string) error
 	RemoveMount(dest string)
+	RemoveLinuxSysctl(key string)
 	SetProcessArgs(args []string)
 	SetLinuxCgroupsPath(path string)
 	SetLinuxResourcesCPUCpus(cpus string)
@@ -80,6 +82,7 @@ type Generator struct {
 	Config            *rspec.Spec
 	filterLabels      func(map[string]string) (map[string]string, error)
 	filterAnnotations func(map[string]string) (map[string]string, error)
+	filterSysctl      func(map[string]string) (map[string]string, error)
 	resolveBlockIO    func(string) (*rspec.LinuxBlockIO, error)
 	resolveRdt        func(string) (*rspec.LinuxIntelRdt, error)
 	injectCDIDevices  func(*rspec.Spec, []string) error
@@ -94,6 +97,7 @@ func SpecGenerator(gg UnderlyingGenerator, opts ...GeneratorOption) *Generator {
 	}
 	g.filterLabels = nopFilter
 	g.filterAnnotations = nopFilter
+	g.filterSysctl = nopFilter
 	for _, o := range opts {
 		o(g)
 	}
@@ -169,6 +173,9 @@ func (g *Generator) Adjust(adjust *nri.ContainerAdjustment) error {
 	if err := g.AdjustNamespaces(adjust.GetLinux().GetNamespaces()); err != nil {
 		return err
 	}
+	if err := g.AdjustSysctl(adjust.GetLinux().GetSysctl()); err != nil {
+		return err
+	}
 
 	resources := adjust.GetLinux().GetResources()
 	if err := g.AdjustResources(resources); err != nil {
@@ -457,6 +464,24 @@ func (g *Generator) AdjustNamespaces(namespaces []*nri.LinuxNamespace) error {
 	return nil
 }
 
+// AdjustSysctl adds, replaces, or removes the sysctl settings in the OCI Spec.
+func (g *Generator) AdjustSysctl(sysctl map[string]string) error {
+	var err error
+
+	if sysctl, err = g.filterSysctl(sysctl); err != nil {
+		return err
+	}
+	for k, v := range sysctl {
+		if key, marked := nri.IsMarkedForRemoval(k); marked {
+			g.RemoveLinuxSysctl(key)
+		} else {
+			g.AddLinuxSysctl(k, v)
+		}
+	}
+
+	return nil
+}
+
 // AdjustDevices adjusts the (Linux) devices in the OCI Spec.
 func (g *Generator) AdjustDevices(devices []*nri.LinuxDevice) {
 	for _, d := range devices {
diff --git a/pkg/runtime-tools/generate/generate_suite_test.go b/pkg/runtime-tools/generate/generate_suite_test.go
@@ -429,6 +429,34 @@ var _ = Describe("Adjustment", func() {
 		})
 	})
 
+	When("has a sysctl adjustment", func() {
+		It("adjusts Spec correctly", func() {
+			var (
+				spec   = makeSpec()
+				adjust = &api.ContainerAdjustment{
+					Linux: &api.LinuxContainerAdjustment{
+						Sysctl: map[string]string{
+							"net.ipv4.ip_forward":           "1",
+							api.MarkForRemoval("delete.me"): "",
+						},
+					},
+				}
+			)
+			spec.Linux.Sysctl = map[string]string{
+				"delete.me": "foobar",
+			}
+			rg := &rgen.Generator{Config: spec}
+			xg := xgen.SpecGenerator(rg)
+
+			Expect(xg).ToNot(BeNil())
+			Expect(xg.Adjust(adjust)).To(Succeed())
+			Expect(spec.Linux.Sysctl).To(Equal(map[string]string{
+				"net.ipv4.ip_forward": "1",
+			}))
+
+		})
+	})
+
 })
 
 type specOption func(*rspec.Spec)
