Skip to content

Add support for sysctl adjustment #248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
samuelkarp merged 3 commits into from
Dec 2, 2025
Merged

Add support for sysctl adjustment #248

samuelkarp merged 3 commits into from
Dec 2, 2025

Conversation

@samuelkarp
Copy link
Member

@samuelkarp samuelkarp commented Dec 1, 2025

Testing: unit tests including in the default validator. I have not yet built a new containerd binary with these changes and built a plugin to set sysctls. Let me know if you want to see that before merging.

Another note: right now the default validator configuration is RejectSysctlAdjustment and off by default, so either we can change that to a positive "AllowSysctlAdjustment" or we can turn it on by default in containerd when we integrate this change.

@samuelkarp
api: add sysctl container adjustment
8705f9b 
Signed-off-by: Samuel Karp <samuelkarp@google.com>
@samuelkarp
api: apply sysctl adjustments
a418956 
Signed-off-by: Samuel Karp <samuelkarp@google.com>
@samuelkarp
default-validator: restrict sysctl adjustment
914fbf3 
Signed-off-by: Samuel Karp <samuelkarp@google.com>
@klihub
Copy link
Member

klihub commented Dec 2, 2025

Testing: unit tests including in the default validator. I have not yet built a new containerd binary with these changes and built a plugin to set sysctls. Let me know if you want to see that before merging.

This looks straightforward enough to not warrant insisting on that. Then again, before a new NRI version gets eventually tagged with this included, we need to test this with the runtimes and make sure it works.

Another note: right now the default validator configuration is RejectSysctlAdjustment and off by default, so either we can change that to a positive "AllowSysctlAdjustment" or we can turn it on by default in containerd when we integrate this change.

I think the current naming and semantics ('enabled by default via a reject-setting defaulting to false') is in line with how the other similar validator settings are configured. So unless there is some other reason for it, I don't think it'd need to be flipped the other way around.

klihub
klihub approved these changes Dec 2, 2025
View reviewed changes
Copy link
Member

@klihub klihub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@samuelkarp samuelkarp merged commit 96f0f20 into containerd:main Dec 2, 2025
16 checks passed
@y-ykcir y-ykcir mentioned this pull request Dec 18, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@klihub klihub klihub approved these changes

@chrishenzie chrishenzie chrishenzie approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@samuelkarp @klihub @chrishenzie