03.07.2014 20:02, William Hubbs пишет:
> This is a question to lxc users, since I don't run it.
> 
> I have a bug against OpenRC in which the user is saying that I should
> allow /etc/init.d/sysctl to run inside an lxc container [1].
> 
> My understanding is that this is not a good idea since an lxc container
> actually changes settings in the host's kernel.
> 
> The user's position seems to be that it should be up to the lxc
> template or the sys admin to make sure they configure things correctly.
> 
> Does anyone have any thoughts? Is this something I should allow people
> to shoot themselves in the foot with if they do something wrong?
> 
> Thanks,
> 
> William
> 
> [1] https://bugs.gentoo.org/show_bug.cgi?id=516050
> 

Comment #3 in bug mostly right. By dropping CAP_SYS_ADMIN you can
prevent of changing most of the global sysctl settings. Other settings
still can be changed by root inside the container, but these settings
are separate and unique to each container(like ip_forward and all the
network stuff that sits in network namespace).

-- 
Best regards, Sergey Popov
Gentoo developer
Gentoo Desktop-effects project lead
Gentoo Qt project lead
Gentoo Proxy maintainers project lead