Networking: Clear Containers allows over-ride of network parameters

[jcvenegas]

From @mcastelino on April 7, 2017 21:44

In the case of clear container we allow the over-ride of networking parameters. example echo "33000 60999" > /proc/sys/net/ipv4/ip_local_port_range

Doing this is not allowed in the case of runc containers

Docker does support tweaking via the systctl setup for namespaced properties. https://docs.docker.com/engine/reference/commandline/run/#options

docker run --sysctl net.ipv4.ip_forward=1 someimage We need to evaluate if we want to provide identical behavior or allow this implicit re-configuration by the work load itself.

Copied from original issue: 01org/cc-oci-runtime#803

[amshinde]

Docker sets certain paths in the container as readonly passed in the config.json: "readonlyPaths": [ "/proc/asound", "/proc/bus", "/proc/fs", "/proc/irq", "/proc/sys", "/proc/sysrq-trigger" ],

Reference: https://github.com/opencontainers/runtime-spec/blob/c83b8c80fd87c6e3c5ffaa01c262e680dc809880/specs-go/config.go#L171

We need to set read these paths and set them as read-only.