ocp4: Remove the rule that disables user namespaces #5268
Conversation
As the rule itself says, we should not disable the support for user namespaces on container hosts such as RHCOS.
|
@jhrozek should we actually specify the values that are needed for |
|
On Tue, Mar 10, 2020 at 07:57:11AM -0700, Gabe Alford wrote:
@jhrozek should we actually specify the values that are needed for `sysctl_user_max_user_namespaces`?
Do you mean the value for the actual sysctl parameter? Do you think we
should override the default?
|
@jhrozek was thinking if the RHCOS content should be opinionated in setting the expected |
|
On Tue, Mar 10, 2020 at 01:22:40PM -0700, Gabe Alford wrote:
> On Tue, Mar 10, 2020 at 07:57:11AM -0700, Gabe Alford wrote: @jhrozek should we actually specify the values that are needed for `sysctl_user_max_user_namespaces`?
> Do you mean the value for the actual sysctl parameter? Do you think we should override the default?
@jhrozek was thinking if the RHCOS content should be opinionated in setting the expected `sysctl_user_max_user_namespaces` value for RHCOS rather than disabling it. Like the value should be greater than 0, "1500", or some other value. It may not make sense as `sysctl_user_max_user_namespaces` might need to be dynamic. Just curious if the policy should be opinionated about a value instead of disabling it.
Since I cannot think of any hardening or compliance reason to diverge
from the default, my opinion is that we should just stick with the
default.
|
|
@JAORMX do you have an opinion on this PR? |
|
I think we should stick with the default. User namespaces are crucial for containers and the numbers will increase in the foreseeable future due to the move to rootless containers. So my take is : let's not mess with this so we don't break deployments. |
Description:
Do not disable user namespaces via sysctl for RHCOS.
Rationale:
As the rule itself says, we should not disable the support for user
namespaces on container hosts such as RHCOS.