Merge pull request #248 from samuelkarp/sysctl

Add support for sysctl adjustment

Author: samuelkarp

pkg/adaptation/result.go

@@ -235,6 +235,9 @@ func (r *result) adjust(rpl *ContainerAdjustment, plugin string) error {
 		if err := r.adjustNamespaces(rpl.Linux.Namespaces, plugin); err != nil {
 			return err
 		}
+		if err := r.adjustSysctl(rpl.Linux.Sysctl, plugin); err != nil {
+			return err
+		}
 	}
 	if err := r.adjustRlimits(rpl.Rlimits, plugin); err != nil {
 		return err
@@ -451,6 +454,41 @@ func (r *result) adjustNamespaces(namespaces []*LinuxNamespace, plugin string) e
 	return nil
 }
 
+func (r *result) adjustSysctl(sysctl map[string]string, plugin string) error {
+	if len(sysctl) == 0 {
+		return nil
+	}
+
+	create, id := r.request.create, r.request.create.Container.Id
+	del := map[string]struct{}{}
+	for k := range sysctl {
+		if key, marked := IsMarkedForRemoval(k); marked {
+			del[key] = struct{}{}
+			delete(sysctl, k)
+		}
+	}
+
+	for k, v := range sysctl {
+		if _, ok := del[k]; ok {
+			r.owners.ClearSysctl(id, k, plugin)
+			delete(create.Container.Linux.Sysctl, k)
+			r.reply.adjust.Linux.Sysctl[MarkForRemoval(k)] = ""
+		}
+		if err := r.owners.ClaimSysctl(id, k, plugin); err != nil {
+			return err
+		}
+		create.Container.Linux.Sysctl[k] = v
+		r.reply.adjust.Linux.Sysctl[k] = v
+		delete(del, k)
+	}
+
+	for k := range del {
+		r.reply.adjust.Annotations[MarkForRemoval(k)] = ""
+	}
+
+	return nil
+}
+
 func (r *result) adjustCDIDevices(devices []*CDIDevice, plugin string) error {
 	if len(devices) == 0 {
 		return nil

pkg/api/adjustment.go

@@ -310,6 +310,15 @@ func (a *ContainerAdjustment) SetLinuxSeccompPolicy(seccomp *LinuxSeccomp) {
 	a.Linux.SeccompPolicy = seccomp
 }
 
+// SetLinuxSysctl records setting a sysctl for a container.
+func (a *ContainerAdjustment) SetLinuxSysctl(key, value string) {
+	a.initLinux()
+	if a.Linux.Sysctl == nil {
+		a.Linux.Sysctl = make(map[string]string)
+	}
+	a.Linux.Sysctl[key] = value
+}
+
 //
 // Initializing a container adjustment and container update.
 //

pkg/api/api.pb.go

@@ -377,6 +377,7 @@ message LinuxContainer {
   LinuxIOPriority io_priority = 6;
   SecurityProfile seccomp_profile = 7;
   LinuxSeccomp seccomp_policy = 8;
+  map<string, string> sysctl = 9;
 }
 
 // A linux namespace.
@@ -516,6 +517,7 @@ message LinuxContainerAdjustment {
   LinuxIOPriority io_priority = 5;
   LinuxSeccomp seccomp_policy = 6;
   repeated LinuxNamespace namespaces = 7;
+  map<string, string> sysctl = 8;
 }
 
 message LinuxSeccomp {
@@ -673,4 +675,5 @@ enum Field {
     IoPriority = 31;
     SeccompPolicy = 32;
     Namespace = 33;
+    Sysctl = 34;
 }