Thanks for the info. I was mis-remembering and thought we had
changed the procps job to ignore eperm failures, but in fact it
only ignores failures due to unknown keys.
A container is in fact not allowed to change any sysctl values
other than /proc/sys/kernel/shm*.
We could make sysctl ignore the write failures, but that may not
be the safest thing to do long-term.
In the meantime, in your container you should edit /etc/sysctl.conf
and /etc/sysctl.d/* and remove the net.core.somaxconn, fs.suid_dumpable,
kernel.yama.ptrace_scope, kernel.core_uses_pid, kernel.printk, and
kernel,ptr_restrict entries.
Thanks for the info. I was mis-remembering and thought we had
changed the procps job to ignore eperm failures, but in fact it
only ignores failures due to unknown keys.
A container is in fact not allowed to change any sysctl values kernel/ shm*.
other than /proc/sys/
We could make sysctl ignore the write failures, but that may not
be the safest thing to do long-term.
In the meantime, in your container you should edit /etc/sysctl.conf yama.ptrace_ scope, kernel. core_uses_ pid, kernel.printk, and
and /etc/sysctl.d/* and remove the net.core.somaxconn, fs.suid_dumpable,
kernel.
kernel,ptr_restrict entries.