Stop using DefaultNetworkSysctl and use containers.conf only

Also mark uses of DefaultCapabilities as Deprecated. Fixes: containers#5155 Signed-off-by: Daniel J Walsh <[email protected]>
TomSweeneyRedHat · Nov 13, 2023 · 8df9b76 · 8df9b76
1 parent 7a06e68
commit 8df9b76
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 25 deletions.
diff --git a/define/types.go b/define/types.go
@@ -58,8 +58,8 @@ const (
 type TeeType string
 
 var (
-	// DefaultCapabilities is the list of capabilities which we grant by
-	// default to containers which are running under UID 0.
+	// Deprecated: DefaultCapabilities values should be retrieved from
+	// github.com/containers/common/pkg/config
 	DefaultCapabilities = []string{
 		"CAP_AUDIT_WRITE",
 		"CAP_CHOWN",
@@ -75,8 +75,8 @@ var (
 		"CAP_SETUID",
 		"CAP_SYS_CHROOT",
 	}
-	// DefaultNetworkSysctl is the list of Kernel parameters which we
-	// grant by default to containers which are running under UID 0.
+	// Deprecated: DefaultNetworkSysctl values should be retrieved from
+	// github.com/containers/common/pkg/config
 	DefaultNetworkSysctl = map[string]string{
 		"net.ipv4.ping_group_range": "0 0",
 	}

diff --git a/run_linux.go b/run_linux.go
@@ -773,20 +773,6 @@ func setupNamespaces(logger *logrus.Logger, g *generate.Generator, namespaceOpti
 		if err := addSysctl([]string{"net"}); err != nil {
 			return false, "", false, err
 		}
-		for name, val := range define.DefaultNetworkSysctl {
-			// Check that the sysctl we are adding is actually supported
-			// by the kernel
-			p := filepath.Join("/proc/sys", strings.Replace(name, ".", "/", -1))
-			_, err := os.Stat(p)
-			if err != nil && !errors.Is(err, os.ErrNotExist) {
-				return false, "", false, err
-			}
-			if err == nil {
-				g.AddLinuxSysctl(name, val)
-			} else {
-				logger.Warnf("ignoring sysctl %s since %s doesn't exist", name, p)
-			}
-		}
 	}
 	return configureNetwork, networkString, configureUTS, nil
 }

diff --git a/tests/containers_conf.bats b/tests/containers_conf.bats
@@ -115,15 +115,26 @@ EOF
     cat >${TEST_SCRATCH_DIR}/containers.conf << EOF
 [containers]
 default_sysctls = [
-  "net.ipv4.ping_group_range=0 0",
   "net.ipv4.tcp_timestamps=123"
 ]
 EOF
     _prefetch alpine
     cat >${TEST_SCRATCH_DIR}/Containerfile << _EOF
 FROM alpine
 RUN echo -n "timestamp="; cat /proc/sys/net/ipv4/tcp_timestamps
+RUN echo -n "ping_group_range="; cat /proc/sys/net/ipv4/ping_group_range
 _EOF
+
+    run_buildah build ${TEST_SCRATCH_DIR}
+    expect_output --substring "timestamp=1"
+    expect_output --substring "ping_group_range=0.*0"
+
     CONTAINERS_CONF=${TEST_SCRATCH_DIR}/containers.conf run_buildah build ${TEST_SCRATCH_DIR}
     expect_output --substring "timestamp=123"
+    if is_rootless ; then
+       expect_output --substring "ping_group_range=65534.*65534"
+    else
+       expect_output --substring "ping_group_range=1.*0"
+    fi
+
 }
diff --git a/util/types.go b/util/types.go
@@ -10,11 +10,11 @@ const (
 )
 
 var (
-	// DefaultCapabilities is the list of capabilities which we grant by
-	// default to containers which are running under UID 0.
-	DefaultCapabilities = define.DefaultCapabilities
+	// Deprecated: DefaultCapabilities values should be retrieved from
+	// github.com/containers/common/pkg/config
+	DefaultCapabilities = define.DefaultCapabilities //nolint
 
-	// DefaultNetworkSysctl is the list of Kernel parameters which we
-	// grant by default to containers which are running under UID 0.
-	DefaultNetworkSysctl = define.DefaultNetworkSysctl
+	// Deprecated: DefaultNetworkSysctl values should be retrieved from
+	// github.com/containers/common/pkg/config
+	DefaultNetworkSysctl = define.DefaultNetworkSysctl //nolint
 )