Merge pull request #5703 from openshift-cherrypick-robot/cherry-pick-…

…5686-to-release-1.19 [release-1.19] server: filter sysctls passed through CRI if host namespace
cri-o · Mar 4, 2022 · 2034546 · 2034546
2 parents 8d03c40 + c462bd6
commit 2034546
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 1 deletion.
diff --git a/pkg/config/sysctl.go b/pkg/config/sysctl.go
@@ -6,6 +6,10 @@ import (
 	"github.com/pkg/errors"
 )
 
+func NewSysctl(key, value string) *Sysctl {
+	return &Sysctl{key, value}
+}
+
 // Sysctl is a generic abstraction over key value based sysctls
 type Sysctl struct {
 	key, value string

diff --git a/server/sandbox_run_linux.go b/server/sandbox_run_linux.go
@@ -729,7 +729,7 @@ func (s *Server) configureGeneratorForSysctls(ctx context.Context, g generate.Ge
 
 	for _, sysctl := range defaultSysctls {
 		if err := sysctl.Validate(hostNetwork, hostIPC); err != nil {
-			log.Warnf(ctx, "skipping invalid sysctl %s: %v", sysctl, err)
+			log.Warnf(ctx, "Skipping invalid sysctl specified by config %s: %v", sysctl, err)
 			continue
 		}
 		g.AddLinuxSysctl(sysctl.Key(), sysctl.Value())
@@ -739,6 +739,11 @@ func (s *Server) configureGeneratorForSysctls(ctx context.Context, g generate.Ge
 	// extract linux sysctls from annotations and pass down to oci runtime
 	// Will override any duplicate default systcl from crio.conf
 	for key, value := range sysctls {
+		sysctl := libconfig.NewSysctl(key, value)
+		if err := sysctl.Validate(hostNetwork, hostIPC); err != nil {
+			log.Warnf(ctx, "Skipping invalid sysctl specified over CRI %s: %v", sysctl, err)
+			continue
+		}
 		g.AddLinuxSysctl(key, value)
 		sysctlsToReturn[key] = value
 	}

diff --git a/test/pod.bats b/test/pod.bats
@@ -231,6 +231,39 @@ function teardown() {
 	[[ "$output" == *"net.ipv4.ip_forward = 1"* ]]
 }
 
+@test "skip pod sysctls to runtime if host" {
+	if test -n "$CONTAINER_UID_MAPPINGS"; then
+		skip "userNS enabled"
+	fi
+	CONTAINER_DEFAULT_SYSCTLS="net.ipv4.ip_forward=0" start_crio
+
+	jq '  .linux.security_context.namespace_options = {
+			network: 2,
+			ipc: 2
+		} |
+		  .linux.sysctls = {
+			"kernel.shm_rmid_forced": "1",
+			"net.ipv4.ip_local_port_range": "2048 65000",
+			"kernel.msgmax": "16384"
+		}' "$TESTDATA"/sandbox_config.json > "$TESTDIR"/sandbox.json
+
+	pod_id=$(crictl runp "$TESTDIR"/sandbox.json)
+	ctr_id=$(crictl create "$pod_id" "$TESTDATA"/container_redis.json "$TESTDIR"/sandbox.json)
+	crictl start "$ctr_id"
+
+	output=$(crictl exec --sync "$ctr_id" sysctl kernel.shm_rmid_forced)
+	[[ "$output" != *"kernel.shm_rmid_forced = 1"* ]]
+
+	output=$(crictl exec --sync "$ctr_id" sysctl kernel.msgmax)
+	[[ "$output" != *"kernel.msgmax = 16384"* ]]
+
+	output=$(crictl exec --sync "$ctr_id" sysctl net.ipv4.ip_local_port_range)
+	[[ "$output" != *"net.ipv4.ip_local_port_range = 2048	65000"* ]]
+
+	output=$(crictl exec --sync "$ctr_id" sysctl net.ipv4.ip_forward)
+	[[ "$output" != *"net.ipv4.ip_forward = 0"* ]]
+}
+
 @test "pod stop idempotent" {
 	start_crio
 	run crictl runp "$TESTDATA"/sandbox_config.json