Comment # 3 on bug 1233410 from Aleksa Sarai

Yeah those are good points.

The main reason for including these in the LXD and Incus packaging is to ensure
that some of the values are large enough to be able to run several thousand
system containers on one system (IIRC some of the default system limits on
openSUSE lead to a few hundred containers maximum). Maybe it would make more
sense to move things into an lxc-sysctl-common package that both LXD and Incus
depend on to avoid duplication?

We could definitely do it in a systemd unit instead, but is that okay from the
security team's perspective? We would probably store the sysctl config in a
different directory so there will no longer be an rpmlint blocking us from
updating it without an audit... (Obviously admin programs can modify sysctls
arbitrarily, so even with an rpmlint you can't be sure that programs aren't
doing dumb things, but I guess I'm not entirely sure what the intended scope of
sysctl audits is. Is it only for catching stuff that gets applied on-boot
automatically if you install a package?)