Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Network sysctl config not getting applied in container #13386

Open
vernhart opened this issue Apr 25, 2024 · 2 comments
Open

Network sysctl config not getting applied in container #13386

vernhart opened this issue Apr 25, 2024 · 2 comments
Assignees
@mihalicyn
Labels
Bug Confirmed to be a bug
Milestone
lxd-6.1

Comments

@vernhart
Copy link

vernhart commented Apr 25, 2024
edited

Required information

  • Distribution: Ubuntu
  • Distribution version: 22.04.04
  • Kernel version: 5.15.0-101-generic
  • LXC version: 5.0.3
  • LXD version: 5.0.3-ffb17cf

Issue description

Some sysctl network parameters are not getting set despite what is set in /etc/sysctl.conf.
On both the host and container I have:

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0

I have rebooted the host and later I rebooted the container. The results are always the same. On the host:

$ grep . /proc/sys/net/*/conf/{all,default}/accept_redirects
/proc/sys/net/ipv4/conf/all/accept_redirects:0
/proc/sys/net/ipv6/conf/all/accept_redirects:0
/proc/sys/net/ipv4/conf/default/accept_redirects:0
/proc/sys/net/ipv6/conf/default/accept_redirects:0

And in the container:

$ grep . /proc/sys/net/*/conf/{all,default}/accept_redirects
/proc/sys/net/ipv4/conf/all/accept_redirects:0
/proc/sys/net/ipv6/conf/all/accept_redirects:1
/proc/sys/net/ipv4/conf/default/accept_redirects:0
/proc/sys/net/ipv6/conf/default/accept_redirects:1

After some testing, I was able to get the desired result (all zeros) by setting net.core.devconf_inherit_init_net = 1 in the host OS and rebooting the container.
@mihalicyn mihalicyn self-assigned this Apr 25, 2024
@tomponline tomponline added the Bug Confirmed to be a bug label Apr 25, 2024
@tomponline tomponline added this to the lxd-6.1 milestone Apr 25, 2024
@tomponline
Copy link
Member

tomponline commented Apr 29, 2024
edited

One workaround to this (instead of using net.core.devconf_inherit_init_net = 1 on the host) is to use these instance (or profile) settings:

lxc config set c1 \
    linux.sysctl.net.ipv6.conf.all.accept_redirects=0 \
    linux.sysctl.net.ipv6.conf.default.accept_redirects=0

lxc restart c1

lxc exec c1 -- sysctl -a | grep accept_redirect | grep all
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

lxc exec c1 -- sysctl -a | grep accept_redirect | grep default
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

@tomponline
Copy link
Member

Based on https://discourse.ubuntu.com/t/cannot-turn-off-net-ipv4-conf-rp-filter-no-matter-whats-in-etc-sysctl-conf/43611/10?u=tomp we should also confirm this isn't specific to systemd based instance OSes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mihalicyn mihalicyn

Labels
Bug Confirmed to be a bug
Projects
None yet
Milestone
lxd-6.1
Development

No branches or pull requests
3 participants
@mihalicyn @tomponline @vernhart