kios/sysctl
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
A tiny utility for setting privileged sysctls from a container.
27 commits 1 branch 2 tags 60 KiB
  • Rust 92.8%
  • Dockerfile 7.2%
Find a file
Exact
Emily Shepherd d90fda7549
 Bump version to v0.2.0
2025-12-18 17:41:40 +00:00
src Support pattern globbing 2025-12-18 16:31:50 +00:00
.gitignore Initial Commit 2025-12-04 22:27:26 +00:00
Cargo.lock Bump version to v0.2.0 2025-12-18 17:41:40 +00:00
Cargo.toml Bump version to v0.2.0 2025-12-18 17:41:40 +00:00
Containerfile Add Containerfile 2025-12-06 11:39:14 +00:00
LICENSE Add README and LICENCE files 2025-12-06 11:42:45 +00:00
README.md Bump version to v0.2.0 2025-12-18 17:41:40 +00:00

README.md

Sysctl

Version Size

A tiny utility for setting privileged sysctls from a container.

Usage

sysctl accepts an arbitrary number of arguments, each in the form: [pattern]=[value], where [pattern] can either be an absolute sysctl name, or a glob-like pattern to match multiple sysctls, and [value] is an acceptable value to set the sysctl to.

Examples

Explicitly set IPv4 and IPv6 forwarding to be on:

> sysctl net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1
Set net.ipv4.conf.all.forwarding to "1"
Set net.ipv6.conf.all.forwarding to "1"

Set forwarding on IPv4 and IPv6 via a glob pattern (this is the same as the example above):

> sysctl net.*.conf.all.forwarding=1
Set net.ipv4.conf.all.forwarding to "1"
Set net.ipv6.conf.all.forwarding to "1"

Set optimistic_dad on only interfaces who's name starts with "eth":

> sysctl net.ipv6.conf.eth*.optimistic_dad=1
Set net.ipv6.conf.eth0.optimistic_dad to "1"
Set net.ipv6.conf.eth1.optimistic_dad to "1"

Mix and match between patterns and globs:

> sysctl net.ipv6.conf.all.forwarding=1 net.ipv6.conf.eth*.optimistic_dad=1
Set net.ipv6.conf.all.forwarding to "1"
Set net.ipv6.conf.eth0.optimistic_dad to "1"
Set net.ipv6.conf.eth1.optimistic_dad to "1"

Container Usage

This container is designed to be used as an init container alongside other containers in a Kubernetes Pod. It is used when a pod requires certain kernel sysctls to be set.

Kubernetes prevents containers from setting sysctls, unless they run as privileged. Granting this to application containers themselves represents and enormous and unnecessary privilege escalation for the entirety of their runtime. Moving the job of setting sysctls to this tiny container reduces the scope of code that needs to be privileged.

Add this Container Spec to your Pod's initContainers section:

- name: configure-sysctl
  image: docker.io/emilyls/sysctl:v0.2.0
  args:
  # Example sysctl
  - my.cool.sysctl=value

  # Globs are also supported. This will set the dad_transmits sysctl for all
  # interfaces starting with "eth".
  - net.ipv6.conf.eth*.dad_transmits=5

  securityContext:
    readOnlyRootFilesystem: true

    # Required for configuring sysctls
    privileged: true

License

This repository is licensed under the Apache License 2.0.