Currently most of sysctl options works container wide, so it's almost safe to run sysctl service inside a container. If we have some options that container may set systemwide then we need to workaround it somehow. some relevant discussion on LVN [http://lwn.net/Articles/260688/]
I don't see sysctl namespace anywhere, also in my opinion most of the sysctls are system-wide. Like core_pattern which alone allows you to escape from lxc container to host, vm.swappiness, vm.dirty_bytes etc also are system wide. imo it shoudn't be executed in lxc container as it does affect kernel's settings.
(In reply to Piotr Karbowski from comment #1) > I don't see sysctl namespace anywhere, also in my opinion most of the > sysctls are system-wide. Like core_pattern which alone allows you to escape > from lxc container to host, vm.swappiness, vm.dirty_bytes etc also are > system wide. > > imo it shoudn't be executed in lxc container as it does affect kernel's > settings. ok seems, so I've used other set of options that are container wide like net.ipv4.ip_forward so it's an interesting situation, as user can't use allowed options automatically with openrc, but he can use sysctl manually if he has root, even with system wide options.
(In reply to Piotr Karbowski from comment #1) > I don't see sysctl namespace anywhere, also in my opinion most of the > sysctls are system-wide. Like core_pattern which alone allows you to escape > from lxc container to host, vm.swappiness, vm.dirty_bytes etc also are > system wide. > > imo it shoudn't be executed in lxc container as it does affect kernel's > settings. I use sysctl in containers to set a shared memory parameters for postgresql. Those parameters changed only in one container and not made changes in host and in other containers.
Since it is possible to mess with host settings inside an LXC guest, I think it is best globally to err on the side of caution. I am open to changing this if there is a good reason to do so however. If you want to run sysctl in an lxc guest, I suggest creating, inside the guest, /etc/conf.d/sysctl with this line as the only contents: rc_keyword="!-lxc" That would allow it to run, but keep in mind that it is possible to mess with settings here that would affect both the guest and host. In other words, you are on your own. :-) Let me know if that works for you. William
I like the solution with rc_keyword="!-lxc" and as it's 1). documented in man 8 runscript 2). do not prevent moving system from container to host without much config rewrites and because there are no safe solution. I think that this bug can be closed. I'd like to hear if this solution works for zunkree (as an original requestor) before closing this bug.
The reporter is fine with using the keyword solution, so we can close this.
