lxd icon indicating copy to clipboard operation
lxd copied to clipboard
verified publisher icon canonical

Network sysctl config not getting applied in container

Open vernhart opened this issue 1 year ago • 2 comments

Required information

  • Distribution: Ubuntu
  • Distribution version: 22.04.04
  • Kernel version: 5.15.0-101-generic
  • LXC version: 5.0.3
  • LXD version: 5.0.3-ffb17cf

Issue description

Some sysctl network parameters are not getting set despite what is set in /etc/sysctl.conf. On both the host and container I have:

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0

I have rebooted the host and later I rebooted the container. The results are always the same. On the host:

$ grep . /proc/sys/net/*/conf/{all,default}/accept_redirects
/proc/sys/net/ipv4/conf/all/accept_redirects:0
/proc/sys/net/ipv6/conf/all/accept_redirects:0
/proc/sys/net/ipv4/conf/default/accept_redirects:0
/proc/sys/net/ipv6/conf/default/accept_redirects:0

And in the container:

$ grep . /proc/sys/net/*/conf/{all,default}/accept_redirects
/proc/sys/net/ipv4/conf/all/accept_redirects:0
/proc/sys/net/ipv6/conf/all/accept_redirects:1
/proc/sys/net/ipv4/conf/default/accept_redirects:0
/proc/sys/net/ipv6/conf/default/accept_redirects:1

After some testing, I was able to get the desired result (all zeros) by setting net.core.devconf_inherit_init_net = 1 in the host OS and rebooting the container.

vernhart avatar Apr 25 '24 11:04 vernhart

One workaround to this (instead of using net.core.devconf_inherit_init_net = 1 on the host) is to use these instance (or profile) settings:

lxc config set c1 \
    linux.sysctl.net.ipv6.conf.all.accept_redirects=0 \
    linux.sysctl.net.ipv6.conf.default.accept_redirects=0

lxc restart c1

lxc exec c1 -- sysctl -a | grep accept_redirect | grep all
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

lxc exec c1 -- sysctl -a | grep accept_redirect | grep default
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

tomponline avatar Apr 29 '24 08:04 tomponline

Based on https://discourse.ubuntu.com/t/cannot-turn-off-net-ipv4-conf-rp-filter-no-matter-whats-in-etc-sysctl-conf/43611/10?u=tomp we should also confirm this isn't specific to systemd based instance OSes.

tomponline avatar May 23 '24 10:05 tomponline