https://bugzilla.suse.com/show_bug.cgi?id=1233410 https://bugzilla.suse.com/show_bug.cgi?id=1233410#c2 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |matthias.gerstner@suse.com, | |security-team@suse.de --- Comment #2 from Matthias Gerstner <matthias.gerstner@suse.com> --- Thanks for creating the AUDIT bug. Back when I looked into the lxc sysctl file I already wondered whether there wouldn't be a better way to do this. As it is, as soon as incus is installed, major system settings are altered permanently. I would find it better to perform these settings only when the containers are actually used e.g. via a systemd unit or something. Just a thought. What happens when incus and lxc are installed in parallel now? Then there will be conflicting settings. We'll have "60-lxd.conf" and "60-incus.conf", so LXD will probably win, appearing later in the alphabet. But some settings on top of the LXD settings done by the incus file will remain. Security wise I guess the file is okay, though. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1233410 https://bugzilla.suse.com/show_bug.cgi?id=1233410#c3 --- Comment #3 from Aleksa Sarai <asarai@suse.com> --- Yeah those are good points. The main reason for including these in the LXD and Incus packaging is to ensure that some of the values are large enough to be able to run several thousand system containers on one system (IIRC some of the default system limits on openSUSE lead to a few hundred containers maximum). Maybe it would make more sense to move things into an lxc-sysctl-common package that both LXD and Incus depend on to avoid duplication? We could definitely do it in a systemd unit instead, but is that okay from the security team's perspective? We would probably store the sysctl config in a different directory so there will no longer be an rpmlint blocking us from updating it without an audit... (Obviously admin programs can modify sysctls arbitrarily, so even with an rpmlint you can't be sure that programs aren't doing dumb things, but I guess I'm not entirely sure what the intended scope of sysctl audits is. Is it only for catching stuff that gets applied on-boot automatically if you install a package?) -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1233410 https://bugzilla.suse.com/show_bug.cgi?id=1233410#c5 Aleksa Sarai <asarai@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |UPSTREAM --- Comment #5 from Aleksa Sarai <asarai@suse.com> --- After talking to the upstream maintainers, they agree that dropping the sysctl file is probably the best course of action[1]. They expect that you would start hitting issues at around 100 concurrent containers (due to the very low keyring limits set by default) but at that point you would expect users to read the documentation and see what settings they need to apply. [1]: https://discuss.linuxcontainers.org/t/incus-on-opensuse-tumbleweed-microos/1... -- You are receiving this mail because: You are on the CC list for the bug.