lxc.sysctl in unprivileged containers

G

geppi

Active Member
Proxmox Subscriber
Nov 27, 2018
15
5
43
60
Germany
I'm a little confused reagarding what's possible with an unprivileged container when it comes to setting values in /proc/sys.
I'm in partucular interested in everything below /proc/sys/net.

I have an unprivileged container in which everything below /proc/sys/net is owned and writable by root.
In the container I can modify e.g. the parameter "net.ipv4.conf.all.accept_redirects" with:
sysctl -w net.ipv4.conf.all.accept_redirects=0

However, I cannot use lxc.sysctl.net.ipv4.conf.all.accept_redirects=0 in the container configuration file:
unable to parse config: lxc.sysctl.net.ipv4.conf.all.accept_redirects=0

Why does setting the parameter via sysctl in the above case work and what's the problem with the lxc.sysctl config parameter ?
 
hi,

geppi said:
However, I cannot use lxc.sysctl.net.ipv4.conf.all.accept_redirects=0 in the container configuration file:
Click to expand...
there are two configuration files for a container:
* /etc/pve/lxc/CTID.conf, this is the config used by the PVE stack, used to partially generate the next config:
* /var/lib/lxc/CTID/config is the config used by LXC (don't write directly here, because it will be ignored and regenerated)

in the PVE LXC config are some raw lxc keys allowed [0], but lxc.sysctl.net.ipv4.conf.all.accept_redirects=0 is not one of them :)
though you can write a script inside the container that runs sysctl -w net.ipv4.conf.all.accept_redirects=0 at boot time ;)

hope this helps!

[0]: https://git.proxmox.com/?p=pve-cont...6826e5ae4a42d01f4597aacb38ed7dc8;hb=HEAD#l592
 
Thank you for the link with the allowed keys.

Would it be possible to elaborate a little on why the lxc.sysctl.net.* keys are not allowed although the kernel parameters can be configured from inside even an unprivileged container ? Obviously they're namespaced, right ?

Is my understanding correct that entering net.ipv4.conf.all.accept_redirects = 0 into /etc/sysctl.conf is doing the job as well ?
 
geppi said:
Would it be possible to elaborate a little on why the lxc.sysctl.net.* keys are not allowed although the kernel parameters can be configured from inside even an unprivileged container ? Obviously they're namespaced, right ?
Click to expand...
right, they're namespaced with CLONE_NEWNET and since the sysctl inside the container works it might make sense to allow these keys as well. could you make a feature request on our bugtracker [0] ?

[0]: https://bugzilla.proxmox.com
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom