sysctl handling not implemented

[egernst]

From @sameo on May 11, 2017 13:57

From @mcastelino on April 12, 2017 0:46

Docker supports setting namespaced kernel parameters at runtime, runc honors this. We do not honor the same and report success

docker run --runtime=cor --sysctl net.ipv4.ip_forward=1 -it alpine sh
/ # sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0

docker run --runtime=runc --sysctl net.ipv4.ip_forward=1 -it alpine sh
/ # sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

Copied from original issue: intel/cc-oci-runtime#817

Copied from original issue: containers/virtcontainers#246

[egernst]

From @sameo on May 11, 2017 13:57

From @mcastelino on April 12, 2017 1:8

Note that we can actually support the setting of more kernel configuration variables with clear containers as we have an independent instance of the kernel running inside the virtual machine. However we also need to communicate that the sysctl settings for Clear Containers are not propagated from the host.

This non propagation will matter in the case of kubernetes (https://kubernetes.io/docs/concepts/cluster-administration/sysctl-cluster/) where certian unsafe sysctl settings can be safely performed in the case of clear containers.

Also there are some parameters that are not namespaced for example

sysctl -w net.bridge.bridge-nf-call-arptables=0
which is not namespaced today even though they are under net which is namespaced.

[grahamwhaley]

Closing, as duplicate of #185 (information transferred over there....)