search

canonical / lxd

Powerful system container and virtual machine manager
https://canonical.com/lxd
GNU Affero General Public License v3.0
4.32k stars 928 forks source link

Network sysctl config not getting applied in container #13386

Open vernhart opened 4 months ago

vernhart commented 4 months ago

Required information

Issue description

Some sysctl network parameters are not getting set despite what is set in /etc/sysctl.conf. On both the host and container I have:

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0

I have rebooted the host and later I rebooted the container. The results are always the same. On the host:

$ grep . /proc/sys/net/*/conf/{all,default}/accept_redirects
/proc/sys/net/ipv4/conf/all/accept_redirects:0
/proc/sys/net/ipv6/conf/all/accept_redirects:0
/proc/sys/net/ipv4/conf/default/accept_redirects:0
/proc/sys/net/ipv6/conf/default/accept_redirects:0

And in the container:

$ grep . /proc/sys/net/*/conf/{all,default}/accept_redirects
/proc/sys/net/ipv4/conf/all/accept_redirects:0
/proc/sys/net/ipv6/conf/all/accept_redirects:1
/proc/sys/net/ipv4/conf/default/accept_redirects:0
/proc/sys/net/ipv6/conf/default/accept_redirects:1

After some testing, I was able to get the desired result (all zeros) by setting net.core.devconf_inherit_init_net = 1 in the host OS and rebooting the container.

tomponline commented 4 months ago

One workaround to this (instead of using net.core.devconf_inherit_init_net = 1 on the host) is to use these instance (or profile) settings:

lxc config set c1 \
    linux.sysctl.net.ipv6.conf.all.accept_redirects=0 \
    linux.sysctl.net.ipv6.conf.default.accept_redirects=0

lxc restart c1

lxc exec c1 -- sysctl -a | grep accept_redirect | grep all
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

lxc exec c1 -- sysctl -a | grep accept_redirect | grep default
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
tomponline commented 3 months ago

Based on https://discourse.ubuntu.com/t/cannot-turn-off-net-ipv4-conf-rp-filter-no-matter-whats-in-etc-sysctl-conf/43611/10?u=tomp we should also confirm this isn't specific to systemd based instance OSes.