public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-dev] should /etc/init.d/sysctl be run in lxc guests?
@ 2014-07-03 16:02 William Hubbs
  2014-07-03 20:12 ` Sergey Popov
  0 siblings, 1 reply; 2+ messages in thread
From: William Hubbs @ 2014-07-03 16:02 UTC (permalink / raw
  To: gentoo development

[-- Attachment #1: Type: text/plain, Size: 652 bytes --]

This is a question to lxc users, since I don't run it.

I have a bug against OpenRC in which the user is saying that I should
allow /etc/init.d/sysctl to run inside an lxc container [1].

My understanding is that this is not a good idea since an lxc container
actually changes settings in the host's kernel.

The user's position seems to be that it should be up to the lxc
template or the sys admin to make sure they configure things correctly.

Does anyone have any thoughts? Is this something I should allow people
to shoot themselves in the foot with if they do something wrong?

Thanks,

William

[1] https://bugs.gentoo.org/show_bug.cgi?id=516050

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [gentoo-dev] should /etc/init.d/sysctl be run in lxc guests?
  2014-07-03 16:02 [gentoo-dev] should /etc/init.d/sysctl be run in lxc guests? William Hubbs
@ 2014-07-03 20:12 ` Sergey Popov
  0 siblings, 0 replies; 2+ messages in thread
From: Sergey Popov @ 2014-07-03 20:12 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 1244 bytes --]

03.07.2014 20:02, William Hubbs пишет:
> This is a question to lxc users, since I don't run it.
> 
> I have a bug against OpenRC in which the user is saying that I should
> allow /etc/init.d/sysctl to run inside an lxc container [1].
> 
> My understanding is that this is not a good idea since an lxc container
> actually changes settings in the host's kernel.
> 
> The user's position seems to be that it should be up to the lxc
> template or the sys admin to make sure they configure things correctly.
> 
> Does anyone have any thoughts? Is this something I should allow people
> to shoot themselves in the foot with if they do something wrong?
> 
> Thanks,
> 
> William
> 
> [1] https://bugs.gentoo.org/show_bug.cgi?id=516050
> 

Comment #3 in bug mostly right. By dropping CAP_SYS_ADMIN you can
prevent of changing most of the global sysctl settings. Other settings
still can be changed by root inside the container, but these settings
are separate and unique to each container(like ip_forward and all the
network stuff that sits in network namespace).

-- 
Best regards, Sergey Popov
Gentoo developer
Gentoo Desktop-effects project lead
Gentoo Qt project lead
Gentoo Proxy maintainers project lead


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 555 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-07-03 20:13 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-07-03 16:02 [gentoo-dev] should /etc/init.d/sysctl be run in lxc guests? William Hubbs
2014-07-03 20:12 ` Sergey Popov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox