* [gentoo-dev] should /etc/init.d/sysctl be run in lxc guests? @ 2014-07-03 16:02 William Hubbs 2014-07-03 20:12 ` Sergey Popov 0 siblings, 1 reply; 2+ messages in thread From: William Hubbs @ 2014-07-03 16:02 UTC (permalink / raw To: gentoo development [-- Attachment #1: Type: text/plain, Size: 652 bytes --] This is a question to lxc users, since I don't run it. I have a bug against OpenRC in which the user is saying that I should allow /etc/init.d/sysctl to run inside an lxc container [1]. My understanding is that this is not a good idea since an lxc container actually changes settings in the host's kernel. The user's position seems to be that it should be up to the lxc template or the sys admin to make sure they configure things correctly. Does anyone have any thoughts? Is this something I should allow people to shoot themselves in the foot with if they do something wrong? Thanks, William [1] https://bugs.gentoo.org/show_bug.cgi?id=516050 [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 181 bytes --] ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [gentoo-dev] should /etc/init.d/sysctl be run in lxc guests? 2014-07-03 16:02 [gentoo-dev] should /etc/init.d/sysctl be run in lxc guests? William Hubbs @ 2014-07-03 20:12 ` Sergey Popov 0 siblings, 0 replies; 2+ messages in thread From: Sergey Popov @ 2014-07-03 20:12 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1244 bytes --] 03.07.2014 20:02, William Hubbs пишет: > This is a question to lxc users, since I don't run it. > > I have a bug against OpenRC in which the user is saying that I should > allow /etc/init.d/sysctl to run inside an lxc container [1]. > > My understanding is that this is not a good idea since an lxc container > actually changes settings in the host's kernel. > > The user's position seems to be that it should be up to the lxc > template or the sys admin to make sure they configure things correctly. > > Does anyone have any thoughts? Is this something I should allow people > to shoot themselves in the foot with if they do something wrong? > > Thanks, > > William > > [1] https://bugs.gentoo.org/show_bug.cgi?id=516050 > Comment #3 in bug mostly right. By dropping CAP_SYS_ADMIN you can prevent of changing most of the global sysctl settings. Other settings still can be changed by root inside the container, but these settings are separate and unique to each container(like ip_forward and all the network stuff that sits in network namespace). -- Best regards, Sergey Popov Gentoo developer Gentoo Desktop-effects project lead Gentoo Qt project lead Gentoo Proxy maintainers project lead [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 555 bytes --] ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-07-03 20:13 UTC | newest] Thread overview: 2+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-07-03 16:02 [gentoo-dev] should /etc/init.d/sysctl be run in lxc guests? William Hubbs 2014-07-03 20:12 ` Sergey Popov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox