| 1 |
03.07.2014 20:02, William Hubbs пишет: |
| 2 |
> This is a question to lxc users, since I don't run it. |
| 3 |
> |
| 4 |
> I have a bug against OpenRC in which the user is saying that I should |
| 5 |
> allow /etc/init.d/sysctl to run inside an lxc container [1]. |
| 6 |
> |
| 7 |
> My understanding is that this is not a good idea since an lxc container |
| 8 |
> actually changes settings in the host's kernel. |
| 9 |
> |
| 10 |
> The user's position seems to be that it should be up to the lxc |
| 11 |
> template or the sys admin to make sure they configure things correctly. |
| 12 |
> |
| 13 |
> Does anyone have any thoughts? Is this something I should allow people |
| 14 |
> to shoot themselves in the foot with if they do something wrong? |
| 15 |
> |
| 16 |
> Thanks, |
| 17 |
> |
| 18 |
> William |
| 19 |
> |
| 20 |
> [1] https://bugs.gentoo.org/show_bug.cgi?id=516050 |
| 21 |
> |
| 22 |
|
| 23 |
Comment #3 in bug mostly right. By dropping CAP_SYS_ADMIN you can |
| 24 |
prevent of changing most of the global sysctl settings. Other settings |
| 25 |
still can be changed by root inside the container, but these settings |
| 26 |
are separate and unique to each container(like ip_forward and all the |
| 27 |
network stuff that sits in network namespace). |
| 28 |
|
| 29 |
-- |
| 30 |
Best regards, Sergey Popov |
| 31 |
Gentoo developer |
| 32 |
Gentoo Desktop-effects project lead |
| 33 |
Gentoo Qt project lead |
| 34 |
Gentoo Proxy maintainers project lead |
Archives