6 files changed, 58 insertions, 20 deletions
diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in
index cd970591b..6ea44a6d4 100644
--- a/interface-definitions/container.xml.in
+++ b/interface-definitions/container.xml.in
@@ -71,26 +71,35 @@
               <multi/>
             </properties>
           </leafNode>
-          <tagNode name="kernel-parameter">
+          <node name="sysctl">
             <properties>
-              <help>Add custom kernel parameters (sysctl)</help>
-              <constraint>
-                <regex>[._a-z*]+</regex>
-              </constraint>
-              <constraintErrorMessage>Kernel parameter name must be alphanumeric and can contain periods, asterisks and underscores</constraintErrorMessage>
+              <help>Configure namespaced kernel parameters of the container</help>
             </properties>
             <children>
-              <leafNode name="value">
+              <tagNode name="parameter">
                 <properties>
-                  <help>Set kernel parameter option value</help>
+                  <help>Sysctl key name</help>
+                  <completionHelp>
+                    <script>${vyos_completion_dir}/list_container_sysctl_parameters.sh</script>
+                  </completionHelp>
                   <valueHelp>
                     <format>txt</format>
-                    <description>Set kernel parameter option value</description>
+                    <description>Sysctl key name</description>
                   </valueHelp>
+                  <constraint>
+                    <validator name="sysctl"/>
+                  </constraint>
                 </properties>
-              </leafNode>
+                <children>
+                  <leafNode name="value">
+                    <properties>
+                      <help>Sysctl configuration value</help>
+                    </properties>
+                  </leafNode>
+                </children>
+              </tagNode>
             </children>
-          </tagNode>
+          </node>
           #include <include/generic-description.xml.i>
           <tagNode name="device">
             <properties>
diff --git a/smoketest/config-tests/container-simple b/smoketest/config-tests/container-simple
index ced770421..5af365cf9 100644
--- a/smoketest/config-tests/container-simple
+++ b/smoketest/config-tests/container-simple
@@ -11,4 +11,4 @@ set container name c02 allow-host-networks
 set container name c02 allow-host-pid
 set container name c02 capability 'sys-time'
 set container name c02 image 'busybox:stable'
-set container name c02 kernel-parameter 'net.ipv4.conf.all.forwarding' value '1'
-\ No newline at end of file
+set container name c02 sysctl parameter kernel.msgmax value '8192'
+\ No newline at end of file
diff --git a/smoketest/configs/container-simple b/smoketest/configs/container-simple
index 0585fed29..b98a440b5 100644
--- a/smoketest/configs/container-simple
+++ b/smoketest/configs/container-simple
@@ -10,8 +10,10 @@ container {
         allow-host-pid
         cap-add sys-time
         image busybox:stable
-        kernel-parameter "net.ipv4.ip_forward" {
-            value "1"
+        sysctl {
+            parameter kernel.msgmax {
+                value "8192"
+            }
         }
     }
 }
diff --git a/smoketest/scripts/cli/test_container.py b/smoketest/scripts/cli/test_container.py
index 90f821c60..3dd97a175 100755
--- a/smoketest/scripts/cli/test_container.py
+++ b/smoketest/scripts/cli/test_container.py
@@ -80,6 +80,7 @@ class TestContainer(VyOSUnitTestSHIM.TestCase):
 
         self.cli_set(base_path + ['name', cont_name, 'image', cont_image])
         self.cli_set(base_path + ['name', cont_name, 'allow-host-networks'])
+        self.cli_set(base_path + ['name', cont_name, 'sysctl', 'parameter', 'kernel.msgmax', 'value', '4096'])
 
         # commit changes
         self.cli_commit()
@@ -91,6 +92,10 @@ class TestContainer(VyOSUnitTestSHIM.TestCase):
         # Check for running process
         self.assertEqual(process_named_running(PROCESS_NAME), pid)
 
+        # verify
+        tmp = cmd(f'sudo podman exec -it {cont_name} sysctl kernel.msgmax')
+        self.assertEqual(tmp, 'kernel.msgmax = 4096')
+
     def test_cpu_limit(self):
         cont_name = 'c2'
 
diff --git a/src/completion/list_container_sysctl_parameters.sh b/src/completion/list_container_sysctl_parameters.sh
new file mode 100755
index 000000000..cf8d006e5
--- /dev/null
+++ b/src/completion/list_container_sysctl_parameters.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+declare -a vals
+eval "vals=($(/sbin/sysctl -N -a|grep -E '^(fs.mqueue|net)\.|^(kernel.msgmax|kernel.msgmnb|kernel.msgmni|kernel.sem|kernel.shmall|kernel.shmmax|kernel.shmmni|kernel.shm_rmid_forced)$'))"
+echo ${vals[@]}
+exit 0
diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py
index 8757c5eab..a969626a9 100755
--- a/src/conf_mode/container.py
+++ b/src/conf_mode/container.py
@@ -191,10 +191,12 @@ def verify(container):
                     if not os.path.exists(source):
                         raise ConfigError(f'Device "{dev}" source path "{source}" does not exist!')
 
-            if 'kernel-parameter' in container_config:
-                for var, cfg in container_config['kernel-parameter'].items():
+            if 'sysctl' in container_config and 'parameter' in container_config['sysctl']:
+                for var, cfg in container_config['sysctl']['parameter'].items():
                     if 'value' not in cfg:
-                        raise ConfigError(f'Kernel parameter {var} has no value assigned!')
+                        raise ConfigError(f'sysctl parameter {var} has no value assigned!')
+                    if var.startswith('net.') and 'allow_host_networks' in container_config:
+                        raise ConfigError(f'sysctl parameter {var} cannot be set when using host networking!')
 
             if 'environment' in container_config:
                 for var, cfg in container_config['environment'].items():
@@ -285,9 +287,9 @@ def generate_run_arguments(name, container_config):
 
     # Add sysctl options
     sysctl_opt = ''
-    if 'kernel-parameter' in container_config:
-        for k, v in container_config['kernel-parameter'].items():
-            sysctl_opt += f" --sysctl={k}={v['value']}"
+    if 'sysctl' in container_config and 'parameter' in container_config['sysctl']:
+        for k, v in container_config['sysctl']['parameter'].items():
+            sysctl_opt += f" --sysctl {k}={v['value']}"
 
     # Add capability options. Should be in uppercase
     capabilities = ''