03.07.2014 20:02, William Hubbs пишет: > This is a question to lxc users, since I don't run it. > > I have a bug against OpenRC in which the user is saying that I should > allow /etc/init.d/sysctl to run inside an lxc container [1]. > > My understanding is that this is not a good idea since an lxc container > actually changes settings in the host's kernel. > > The user's position seems to be that it should be up to the lxc > template or the sys admin to make sure they configure things correctly. > > Does anyone have any thoughts? Is this something I should allow people > to shoot themselves in the foot with if they do something wrong? > > Thanks, > > William > > [1] https://bugs.gentoo.org/show_bug.cgi?id=516050 >
Comment #3 in bug mostly right. By dropping CAP_SYS_ADMIN you can prevent of changing most of the global sysctl settings. Other settings still can be changed by root inside the container, but these settings are separate and unique to each container(like ip_forward and all the network stuff that sits in network namespace). -- Best regards, Sergey Popov Gentoo developer Gentoo Desktop-effects project lead Gentoo Qt project lead Gentoo Proxy maintainers project lead
signature.asc
Description: OpenPGP digital signature
