LTS

    Innovation Version

      Writable Namespace Kernel Parameters

      Function Description

      For services running in containers, such as databases, big data, and common applications, some kernel parameters need to be set and adjusted to obtain the optimal performance and reliability. The modification permission of all kernel parameters must be disabled or enabled simultaneously (by using privileged container).

      When the modification permission is disabled, only the --sysctl external interface is provided and parameters cannot be flexibly modified in a container.

      When the modification permission is enabled, some kernel parameters are globally valid. If some parameters are modified in a container, all programs on the host will be affected, harming security.

        

      System containers provide the --ns-change-opt parameter, which can be used to dynamically set namespace kernel parameters in a container. The parameter value can be net or ipc.

      Parameter Description

      Command

      Parameter

      Value Description

      isula create/run

      --ns-change-opt

      • Variable of the string type.
      • The parameter value can be net or ipc.

        net: All namespace parameters in the /proc/sys/net directory are supported.

        ipc: Supported namespace parameters are as follows:

        /proc/sys/kernel/msgmax

        /proc/sys/kernel/msgmnb

        /proc/sys/kernel/msgmni

        /proc/sys/kernel/sem

        /proc/sys/kernel/shmall

        /proc/sys/kernel/shmmax

        /proc/sys/kernel/shmmni

        /proc/sys/kernel/shm_rmid_forced

        /proc/sys/fs/mqueue/msg_default

        /proc/sys/fs/mqueue/msg_max

        /proc/sys/fs/mqueue/msgsize_default

        /proc/sys/fs/mqueue/msgsize_max

        /proc/sys/fs/mqueue/queues_max

      • You can specify multiple namespace configurations and separate them with commas (,). For example, --ns-change-opt=net,ipc.

      Constraints

      • If both --privileged (privileged container) and --ns-change-opt are specified during container startup, --ns-change-opt does not take effect.

      Example

      Start a container and set --ns-change-opt to net.

      [root@localhost ~]# isula run -tid --ns-change-opt net --system-container --external-rootfs /root/myrootfs none init
      4bf44a42b4a14fdaf127616c90defa64b4b532b18efd15b62a71cbf99ebc12d2
      [root@localhost ~]# isula exec -it 4b mount | grep /proc/sys
      proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
      proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)
      proc on /proc/sys/net type proc (rw,nosuid,nodev,noexec,relatime)
      

      The mount point /proc/sys/net in the container has the rw option, indicating that the net-related namespace kernel parameters have the read and write permissions.

      Start another container and set --ns-change-opt to ipc.

      [root@localhost ~]# isula run -tid --ns-change-opt ipc --system-container --external-rootfs /root/myrootfs none init
      c62e5e5686d390500dab2fa76b6c44f5f8da383a4cbbeac12cfada1b07d6c47f
      [root@localhost ~]# isula exec -it c6 mount | grep /proc/sys
      proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
      proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)
      proc on /proc/sys/kernel/shmmax type proc (rw,nosuid,nodev,noexec,relatime)
      proc on /proc/sys/kernel/shmmni type proc (rw,nosuid,nodev,noexec,relatime)
      proc on /proc/sys/kernel/shmall type proc (rw,nosuid,nodev,noexec,relatime)
      proc on /proc/sys/kernel/shm_rmid_forced type proc (rw,nosuid,nodev,noexec,relatime)
      proc on /proc/sys/kernel/msgmax type proc (rw,nosuid,nodev,noexec,relatime)
      proc on /proc/sys/kernel/msgmni type proc (rw,nosuid,nodev,noexec,relatime)
      proc on /proc/sys/kernel/msgmnb type proc (rw,nosuid,nodev,noexec,relatime)
      proc on /proc/sys/kernel/sem type proc (rw,nosuid,nodev,noexec,relatime)
      proc on /proc/sys/fs/mqueue type proc (rw,nosuid,nodev,noexec,relatime)
      

      The mount point information of ipc-related kernel parameters in the container contains the rw option, indicating that the ipc-related namespace kernel parameters have the read and write permissions.

      Bug Catching

      Buggy Content

      Bug Description

      Submit As Issue

      It's a little complicated....

      I'd like to ask someone.

      PR

      Just a small problem.

      I can fix it online!

      Bug Type
      Specifications and Common Mistakes

      ● Misspellings or punctuation mistakes;

      ● Incorrect links, empty cells, or wrong formats;

      ● Chinese characters in English context;

      ● Minor inconsistencies between the UI and descriptions;

      ● Low writing fluency that does not affect understanding;

      ● Incorrect version numbers, including software package names and version numbers on the UI.

      Usability

      ● Incorrect or missing key steps;

      ● Missing prerequisites or precautions;

      ● Ambiguous figures, tables, or texts;

      ● Unclear logic, such as missing classifications, items, and steps.

      Correctness

      ● Technical principles, function descriptions, or specifications inconsistent with those of the software;

      ● Incorrect schematic or architecture diagrams;

      ● Incorrect commands or command parameters;

      ● Incorrect code;

      ● Commands inconsistent with the functions;

      ● Wrong screenshots.

      Risk Warnings

      ● Lack of risk warnings for operations that may damage the system or important data.

      Content Compliance

      ● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

      ● Copyright infringement.

      How satisfied are you with this document

      Not satisfied at all
      Very satisfied
      Submit
      Click to create an issue. An issue template will be automatically generated based on your feedback.
      Bug Catching
      编组 3备份