From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id BF5D61392EF for ; Thu, 3 Jul 2014 20:13:18 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id CBD01E0863; Thu, 3 Jul 2014 20:13:10 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D76DBE07F1 for ; Thu, 3 Jul 2014 20:13:09 +0000 (UTC) Received: from [192.168.1.11] (unknown [80.80.98.176]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: pinkbyte) by smtp.gentoo.org (Postfix) with ESMTPSA id 846DA33FCF3 for ; Thu, 3 Jul 2014 20:13:08 +0000 (UTC) Message-ID: <53B5B945.4060000@gentoo.org> Date: Fri, 04 Jul 2014 00:12:53 +0400 From: Sergey Popov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] should /etc/init.d/sysctl be run in lxc guests? References: <20140703160229.GA4189@linux1> In-Reply-To: <20140703160229.GA4189@linux1> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="dnfHk8wrtcdg0EMfO2U4HgP1jPmmSlXXH" X-Archives-Salt: 9eb9f51a-d08b-444b-9004-2639bba9e582 X-Archives-Hash: 0885922fb8ceef80c5b9807e3fd073aa This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --dnfHk8wrtcdg0EMfO2U4HgP1jPmmSlXXH Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable 03.07.2014 20:02, William Hubbs =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > This is a question to lxc users, since I don't run it. >=20 > I have a bug against OpenRC in which the user is saying that I should > allow /etc/init.d/sysctl to run inside an lxc container [1]. >=20 > My understanding is that this is not a good idea since an lxc container= > actually changes settings in the host's kernel. >=20 > The user's position seems to be that it should be up to the lxc > template or the sys admin to make sure they configure things correctly.= >=20 > Does anyone have any thoughts? Is this something I should allow people > to shoot themselves in the foot with if they do something wrong? >=20 > Thanks, >=20 > William >=20 > [1] https://bugs.gentoo.org/show_bug.cgi?id=3D516050 >=20 Comment #3 in bug mostly right. By dropping CAP_SYS_ADMIN you can prevent of changing most of the global sysctl settings. Other settings still can be changed by root inside the container, but these settings are separate and unique to each container(like ip_forward and all the network stuff that sits in network namespace). --=20 Best regards, Sergey Popov Gentoo developer Gentoo Desktop-effects project lead Gentoo Qt project lead Gentoo Proxy maintainers project lead --dnfHk8wrtcdg0EMfO2U4HgP1jPmmSlXXH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTtblQAAoJECo/aRed9267qOgH/2KxYi3977q8lxU5OK3mKIuR ZDru5GwA9Zh/NEJNxlKHGTP5blz+jj9HSzes9az0BWVTrK138EvQFvavaN0e8utj yRyWJplZsnEX29Pn/v5Pn093As21qkhG1CpxCzzjPMCD25Vyp5PNRewHZNTYqJ+y 8AopcWn3xIMxqv210caOEsIAjYzujH7eV64iPyZAzFtT9WwfdyoSMdFom6QUtUh7 f+vrJP0PnXdRwTOD5gJTvK1pPmalzVeVKb82TAhfoVOXzZSlqLlxWJ2i2eRBD4TI X244ZrPpZv0iBDnyqIKE8+h67Yl+pljPcZIzJNOa3lRM1zzz3R+71nlGTDQnoss= =mdaf -----END PGP SIGNATURE----- --dnfHk8wrtcdg0EMfO2U4HgP1jPmmSlXXH--