sysctl options declared in config.json not applied to container

[cweld510]

Description

It seems that, when starting a container via runsc run from an OCI specification file, sysctl options in the specification file won't take effect inside the container.

Steps to reproduce

Make a rootfs directory and unpack a debian-slim image into it: mkdir bundle && cd bundle && mkdir --mode=0755 rootfs docker export $(docker create debian:bullseye-slim) | sudo tar -xf - -C rootfs --same-owner --same-permissions

Create a simple script in rootfs to dump a sysctl setting:

$ cat rootfs/test_script 
#!/bin/bash

cat /proc/sys/net/ipv4/tcp_keepalive_time

Generate a config.json: runsc spec -- /test_script

Add the following to the "linux" block of the config:

    "sysctl":{
        "net.ipv4.tcp_keep_alive_time": "1000"
    }

Then sudo runsc run test_script will show a value of 7200, not 1000.

runsc version

runsc version 40a09da5a1ab
spec: 1.1.0-rc.1

docker version (if using docker)

No response

uname

Linux 5.15.0-101.103.2.1.el9uek.x86_64 #2 SMP Tue May 2 01:10:45 PDT 2023 x86_64 x86_64 x86_64 GNU/Linux

kubectl (if using Kubernetes)

No response

repo state (if built from source)

No response

runsc debug logs (if available)

No response

[ayushr2]

The following should be the right place to add support https://github.com/google/gvisor/blob/834bef5996794a44f1c95358bc533f54db080497/runsc/boot/loader.go#L550-L561

[ayushr2]

We seem to be always printing 7200 from /proc/sys/net/ipv4/tcp_keepalive_time: https://github.com/google/gvisor/blob/834bef5996794a44f1c95358bc533f54db080497/pkg/sentry/fsimpl/proc/tasks_sys.go#L124

Irrespective of what TCP endpoints use (which happens to be a constant for 7200 seconds): https://github.com/google/gvisor/blob/834bef5996794a44f1c95358bc533f54db080497/pkg/tcpip/transport/tcp/protocol.go#L71-L73

[ayushr2]

cc @kevinGC