Comment 3 for bug 1300927

Thanks for the info. I was mis-remembering and thought we had
changed the procps job to ignore eperm failures, but in fact it
only ignores failures due to unknown keys.

A container is in fact not allowed to change any sysctl values
other than /proc/sys/kernel/shm*.

We could make sysctl ignore the write failures, but that may not
be the safest thing to do long-term.

In the meantime, in your container you should edit /etc/sysctl.conf
and /etc/sysctl.d/* and remove the net.core.somaxconn, fs.suid_dumpable,
kernel.yama.ptrace_scope, kernel.core_uses_pid, kernel.printk, and
kernel,ptr_restrict entries.