lxc.sysctl in unprivileged containers

G

geppi

Active Member
Proxmox Subscriber
Nov 27, 2018
16
5
43
61
Germany
I'm a little confused reagarding what's possible with an unprivileged container when it comes to setting values in /proc/sys.
I'm in partucular interested in everything below /proc/sys/net.

I have an unprivileged container in which everything below /proc/sys/net is owned and writable by root.
In the container I can modify e.g. the parameter "net.ipv4.conf.all.accept_redirects" with:
sysctl -w net.ipv4.conf.all.accept_redirects=0

However, I cannot use lxc.sysctl.net.ipv4.conf.all.accept_redirects=0 in the container configuration file:
unable to parse config: lxc.sysctl.net.ipv4.conf.all.accept_redirects=0

Why does setting the parameter via sysctl in the above case work and what's the problem with the lxc.sysctl config parameter ?
 
hi,

geppi said:
However, I cannot use lxc.sysctl.net.ipv4.conf.all.accept_redirects=0 in the container configuration file:
Click to expand...
there are two configuration files for a container:
* /etc/pve/lxc/CTID.conf, this is the config used by the PVE stack, used to partially generate the next config:
* /var/lib/lxc/CTID/config is the config used by LXC (don't write directly here, because it will be ignored and regenerated)

in the PVE LXC config are some raw lxc keys allowed [0], but lxc.sysctl.net.ipv4.conf.all.accept_redirects=0 is not one of them :)
though you can write a script inside the container that runs sysctl -w net.ipv4.conf.all.accept_redirects=0 at boot time ;)

hope this helps!

[0]: https://git.proxmox.com/?p=pve-cont...6826e5ae4a42d01f4597aacb38ed7dc8;hb=HEAD#l592
 
Thank you for the link with the allowed keys.

Would it be possible to elaborate a little on why the lxc.sysctl.net.* keys are not allowed although the kernel parameters can be configured from inside even an unprivileged container ? Obviously they're namespaced, right ?

Is my understanding correct that entering net.ipv4.conf.all.accept_redirects = 0 into /etc/sysctl.conf is doing the job as well ?
 
geppi said:
Would it be possible to elaborate a little on why the lxc.sysctl.net.* keys are not allowed although the kernel parameters can be configured from inside even an unprivileged container ? Obviously they're namespaced, right ?
Click to expand...
right, they're namespaced with CLONE_NEWNET and since the sysctl inside the container works it might make sense to allow these keys as well. could you make a feature request on our bugtracker [0] ?

[0]: https://bugzilla.proxmox.com
 
You must log in or register to reply here.
Top Bottom