diff --git a/docs/resources/service.md b/docs/resources/service.md
index 15712fc6..fa4fd308 100644
--- a/docs/resources/service.md
+++ b/docs/resources/service.md
@@ -378,6 +378,7 @@ Optional:
 - `secrets` (Block Set) References to zero or more secrets that will be exposed to the service (see [below for nested schema](#nestedblock--task_spec--container_spec--secrets))
 - `stop_grace_period` (String) Amount of time to wait for the container to terminate before forcefully removing it (ms|s|m|h). If not specified or '0s' the destroy will not check if all tasks/containers of the service terminate.
 - `stop_signal` (String) Signal to stop the container
+- `sysctl` (Map of String) Sysctls config (Linux only)
 - `user` (String) The user inside the container
 
 <a id="nestedblock--task_spec--container_spec--configs"></a>
diff --git a/internal/provider/resource_docker_service.go b/internal/provider/resource_docker_service.go
index afe26ac6..d9bdb783 100644
--- a/internal/provider/resource_docker_service.go
+++ b/internal/provider/resource_docker_service.go
@@ -499,6 +499,12 @@ func resourceDockerService() *schema.Resource {
 										Optional:         true,
 										ValidateDiagFunc: validateStringMatchesPattern(`^(default|process|hyperv)$`),
 									},
+									"sysctl": {
+										Type:        schema.TypeMap,
+										Description: "Sysctls config (Linux only)",
+										Optional:    true,
+										ForceNew:    true,
+									},
 								},
 							},
 						},
diff --git a/internal/provider/resource_docker_service_structures.go b/internal/provider/resource_docker_service_structures.go
index 7f0718e3..348d1a7d 100644
--- a/internal/provider/resource_docker_service_structures.go
+++ b/internal/provider/resource_docker_service_structures.go
@@ -174,6 +174,9 @@ func flattenContainerSpec(in *swarm.ContainerSpec) []interface{} {
 	if len(in.Isolation) > 0 {
 		m["isolation"] = string(in.Isolation)
 	}
+	if len(in.Sysctls) > 0 {
+		m["sysctl"] = in.Sysctls
+	}
 	out = append(out, m)
 	return out
 }
@@ -925,6 +928,9 @@ func createContainerSpec(v interface{}) (*swarm.ContainerSpec, error) {
 			if value, ok := rawContainerSpec["isolation"]; ok {
 				containerSpec.Isolation = container.Isolation(value.(string))
 			}
+			if value, ok := rawContainerSpec["sysctl"]; ok {
+				containerSpec.Sysctls = mapTypeMapValsToString(value.(map[string]interface{}))
+			}
 		}
 	}