Currently, the sysctl init script contains keyword -lxc. However, certain kernel parameters, such as net.ipv4.ip_forward, can be set independently for each lxc container. Therefore, the init script should execute by default in lxc environments. Reproducible: Always
Created attachment 380066 [details, diff] Proposed correction Proposed correction
Since the guest and host share the same kernel, what happens if the guest sysctl tries to change settings it shouldn't? Is the kernel smart enough to block those changes?
The kernel will block the changes if the container's configuration file contains "lxc.cap.drop = sys_admin". In my opinion, it is the responsibility of the distro's lxc template or the system administrator to configure the capabilities correctly or ensure that the container's /etc/sysctl.conf does not define global parameters. Otherwise, there is no easy way to automatically set container-specific parameters.
I agree with Kaarle that sometimes you want to use sysctl in lxc. Well, there are other workarounds like you could use the local service to call sysctl... but why should you workaround if you could use the sysctl service? :) I also agree that's the administrator responsibility to take action against unwanted configuration like a modified host kernel from a lxc. From William's mail: > My understanding is that this is not a good idea since an lxc container > actually changes settings in the host's kernel. Right, but "keyword -lxc" is not a real protection against this problem. You could overwrite the keyword in conf.d/sysctl in the lxc. Currently we only hide a "problem"... but the problem is still there and can only be addressed by the host administrator. So we are only adding burden for those who want to use sysctl in lxc because they need to overwrite the keyword at the moment. => I would enable the sysctl service for lxc environments per default, too.
This was applied in commit 143f1c6 and will be included in OpenRC-0.13.
