/proc/sys/fs/ permissions

[jonathanbeber]

hey there,

I'm trying to disable the protected_regular setting in a sysbox container and I get an error (permission denied). This flag is not enabled in the host node but it's enabled in the containers, what I beleive is due to the nature of the /proc partial virtualization. Is there a way to change it?

Thanks in advance!

[ctalledo]

Hi @jonathanbeber, thanks for reporting the issue.

I'm trying to disable the protected_regular setting in a sysbox container and I get an error (permission denied)

Yes, that particular sysctl (/proc/sys/fs/protected_regular) is not namespaced in the Linux kernel, so an unprivileged (aka rootless) container such as those created by Sysbox won't have permission to write to the sysctl, unless Sysbox can virtualize it which it currently does not.

This flag is not enabled in the host node but it's enabled in the containers, what I beleive is due to the nature of the /proc partial virtualization.

That is strange; Sysbox does not touch (set or clear) that sysctl, so not sure why it's different in the container compared to the host. I was not able to reproduce either.

In my Ubuntu Jammy host:

$ cat /proc/sys/fs/protected_regular 
2

From within a Sysbox container:

$ docker run --runtime=sysbox-runc --rm alpine cat /proc/sys/fs/protected_regular
2

If I change it to 0 on the host, the sysbox container also reports 0.

[jonathanbeber]

Thank you very much for your reply, @ctalledo. I was tricked by it because of existing pods. New ones are indeed copying the updated value. I believe the value just can't change after the container is initialized.

[ctalledo]

Ok got it;

I believe the value just can't change after the container is initialized.

That's correct, and that's by design because the changing the value would affect the entire host, not just the container (i.e., it's not namespaced yet).

Sounds like we can close this discussion then?

Thanks!

[jonathanbeber]

That's correct, and that's by design because the changing the value would affect the entire host, not just the container (i.e., it's not namespaced yet).

But I do can change it in the host in a "hot" way, why is the value being copied instead of mounted as readonly?

In any case, for my specific scenario I can change this parameter during the AMI creation, it's more my curiosity right now.

And yes, I beleive we can close it. Thank you very much for your help.

[ctalledo]

But I do can change it in the host in a "hot" way, why is the value being copied instead of mounted as readonly?

The idea is: root on the host has control over the entire host, so it can change anything. But root in the Sysbox container should only be allowed to change settings that affect the container only, not host-wide settings. Since this particular sysctl is host-wide, you can't change it from within the container.

And yes, I beleive we can close it. Thank you very much for your help.

Sure, happy to help, thanks for raising the issue and giving Sysbox a shot.