Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 481264

Summary: sys-apps/openrc: remove lxc keyword from sysctl
Product: Gentoo Linux Reporter: Alexander Vershilov (RETIRED) <qnikst>
Component: [OLD] Core systemAssignee: OpenRC Team <openrc>
Status: RESOLVED WORKSFORME    
Severity: normal CC: zunkree
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Alexander Vershilov (RETIRED) gentoo-dev 2013-08-16 07:49:40 UTC 
Currently most of sysctl options works container wide, so it's almost safe to run sysctl service inside a container.

If we have some options that container may set systemwide then we need to workaround it somehow.

some relevant discussion on LVN [http://lwn.net/Articles/260688/]
Comment 1 Piotr Karbowski (RETIRED) gentoo-dev 2013-08-16 12:04:08 UTC 
I don't see sysctl namespace anywhere, also in my opinion most of the sysctls are system-wide. Like core_pattern which alone allows you to escape from lxc container to host, vm.swappiness, vm.dirty_bytes etc also are system wide.

imo it shoudn't be executed in lxc container as it does affect kernel's settings.
Comment 2 Alexander Vershilov (RETIRED) gentoo-dev 2013-08-16 12:18:59 UTC 
(In reply to Piotr Karbowski from comment #1)
> I don't see sysctl namespace anywhere, also in my opinion most of the
> sysctls are system-wide. Like core_pattern which alone allows you to escape
> from lxc container to host, vm.swappiness, vm.dirty_bytes etc also are
> system wide.
> 
> imo it shoudn't be executed in lxc container as it does affect kernel's
> settings.

ok seems, so I've used other set of options that are container wide like
net.ipv4.ip_forward

so it's an interesting situation, as user can't use allowed options automatically with openrc, but he can use sysctl manually if he has root, even with system wide options.
Comment 3 zunkree 2013-08-16 13:50:14 UTC 
(In reply to Piotr Karbowski from comment #1)
> I don't see sysctl namespace anywhere, also in my opinion most of the
> sysctls are system-wide. Like core_pattern which alone allows you to escape
> from lxc container to host, vm.swappiness, vm.dirty_bytes etc also are
> system wide.
> 
> imo it shoudn't be executed in lxc container as it does affect kernel's
> settings.

I use sysctl in containers to set a shared memory parameters for postgresql. Those parameters changed only in one container and not made changes in host and in other containers.
Comment 4 William Hubbs gentoo-dev 2013-08-17 21:12:02 UTC 
Since it is possible to mess with host settings inside an LXC
guest, I think it is best globally to err on the side of caution.
I am open to changing this if there is a good reason to do so however.

If you want to run sysctl in an lxc guest, I suggest creating, inside
the guest, /etc/conf.d/sysctl with this line as the only contents:

rc_keyword="!-lxc"

That would allow it to run, but keep in mind that it is possible to mess
with settings here that would affect both the guest and host. In other
words, you are on your own. :-)

Let me know if that works for you.

William
Comment 5 Alexander Vershilov (RETIRED) gentoo-dev 2013-08-19 04:51:35 UTC 
I like the solution with rc_keyword="!-lxc" and as it's

1). documented in man 8 runscript 
2). do not prevent moving system from container to host without much config rewrites

and because there are no safe solution. I think that this bug can be closed. 
I'd like to hear if this solution works for zunkree (as an original requestor) before closing this bug.
Comment 6 William Hubbs gentoo-dev 2013-08-20 05:51:36 UTC 
The reporter is fine with using the keyword solution, so we can close
this.