feat(container): add sysctls setting in the container view (#4910)

* feat(container): add sysctls in the container view (#2756) * feat(container): add setting to restrict sysctl access * feat(endpoint): move sysctl disable setting to security settings * feat(container): add sysctls to container edit view * fix(container) remove unnecessary migration setting Co-authored-by: Owen Kirby <oskirby@gmail.com>
2025-07-23 07:19:41 +02:00 · 2021-04-12 09:40:45 +02:00 · 2021-04-12 09:40:45 +02:00 · d09ae22ba8
commit d09ae22ba8
parent ac7d819620
14 changed files with 125 additions and 9 deletions
--- a/app/docker/views/containers/create/createContainerController.js
+++ b/app/docker/views/containers/create/createContainerController.js
@ -80,6 +80,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [
      EntrypointMode: 'default',
      NodeName: null,
      capabilities: [],
+      Sysctls: [],
      LogDriverName: '',
      LogDriverOpts: [],
      RegistryModel: new PorImageRegistryModel(),
@ -136,6 +137,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [
        Devices: [],
        CapAdd: [],
        CapDrop: [],
+        Sysctls: {},
      },
      NetworkingConfig: {
        EndpointsConfig: {},
@ -191,6 +193,14 @@ angular.module('portainer.docker').controller('CreateContainerController', [
      $scope.config.HostConfig.Devices.splice(index, 1);
    };

+    $scope.addSysctl = function () {
+      $scope.formValues.Sysctls.push({ name: '', value: '' });
+    };
+
+    $scope.removeSysctl = function (index) {
+      $scope.formValues.Sysctls.splice(index, 1);
+    };
+
    $scope.addLogDriverOpt = function () {
      $scope.formValues.LogDriverOpts.push({ name: '', value: '' });
    };
@ -344,6 +354,16 @@ angular.module('portainer.docker').controller('CreateContainerController', [
      config.HostConfig.Devices = path;
    }

+    function prepareSysctls(config) {
+      var sysctls = {};
+      $scope.formValues.Sysctls.forEach(function (sysctl) {
+        if (sysctl.name && sysctl.value) {
+          sysctls[sysctl.name] = sysctl.value;
+        }
+      });
+      config.HostConfig.Sysctls = sysctls;
+    }
+
    function prepareResources(config) {
      // Memory Limit - Round to 0.125
      if ($scope.formValues.MemoryLimit >= 0) {
@ -412,6 +432,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [
      prepareResources(config);
      prepareLogDriver(config);
      prepareCapabilities(config);
+      prepareSysctls(config);
      return config;
    }

@ -557,6 +578,14 @@ angular.module('portainer.docker').controller('CreateContainerController', [
      $scope.config.HostConfig.Devices = path;
    }

+    function loadFromContainerSysctls() {
+      for (var s in $scope.config.HostConfig.Sysctls) {
+        if ({}.hasOwnProperty.call($scope.config.HostConfig.Sysctls, s)) {
+          $scope.formValues.Sysctls.push({ name: s, value: $scope.config.HostConfig.Sysctls[s] });
+        }
+      }
+    }
+
    function loadFromContainerImageConfig() {
      RegistryService.retrievePorRegistryModelFromRepository($scope.config.Image)
        .then((model) => {
@ -632,6 +661,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [
          loadFromContainerImageConfig(d);
          loadFromContainerResources(d);
          loadFromContainerCapabilities(d);
+          loadFromContainerSysctls(d);
        })
        .catch(function error(err) {
          Notifications.error('Failure', err, 'Unable to retrieve container');
@ -656,6 +686,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [

      $scope.isAdmin = Authentication.isAdmin();
      $scope.showDeviceMapping = await shouldShowDevices();
+      $scope.showSysctls = await shouldShowSysctls();
      $scope.areContainerCapabilitiesEnabled = await checkIfContainerCapabilitiesEnabled();
      $scope.isAdminOrEndpointAdmin = Authentication.isAdmin();

@ -940,6 +971,12 @@ angular.module('portainer.docker').controller('CreateContainerController', [
      return endpoint.SecuritySettings.allowDeviceMappingForRegularUsers || Authentication.isAdmin();
    }

+    async function shouldShowSysctls() {
+      const { allowSysctlSettingForRegularUsers } = $scope.applicationState.application;
+
+      return allowSysctlSettingForRegularUsers || Authentication.isAdmin();
+    }
+
    async function checkIfContainerCapabilitiesEnabled() {
      return endpoint.SecuritySettings.allowContainerCapabilitiesForRegularUsers || Authentication.isAdmin();
    }