1 |
03.07.2014 20:02, William Hubbs пишет: |
2 |
> This is a question to lxc users, since I don't run it. |
3 |
> |
4 |
> I have a bug against OpenRC in which the user is saying that I should |
5 |
> allow /etc/init.d/sysctl to run inside an lxc container [1]. |
6 |
> |
7 |
> My understanding is that this is not a good idea since an lxc container |
8 |
> actually changes settings in the host's kernel. |
9 |
> |
10 |
> The user's position seems to be that it should be up to the lxc |
11 |
> template or the sys admin to make sure they configure things correctly. |
12 |
> |
13 |
> Does anyone have any thoughts? Is this something I should allow people |
14 |
> to shoot themselves in the foot with if they do something wrong? |
15 |
> |
16 |
> Thanks, |
17 |
> |
18 |
> William |
19 |
> |
20 |
> [1] https://bugs.gentoo.org/show_bug.cgi?id=516050 |
21 |
> |
22 |
|
23 |
Comment #3 in bug mostly right. By dropping CAP_SYS_ADMIN you can |
24 |
prevent of changing most of the global sysctl settings. Other settings |
25 |
still can be changed by root inside the container, but these settings |
26 |
are separate and unique to each container(like ip_forward and all the |
27 |
network stuff that sits in network namespace). |
28 |
|
29 |
-- |
30 |
Best regards, Sergey Popov |
31 |
Gentoo developer |
32 |
Gentoo Desktop-effects project lead |
33 |
Gentoo Qt project lead |
34 |
Gentoo Proxy maintainers project lead |