[lxc-users] 4.0.6 regression: /proc/sys/net/ipv4/ip_forward: Read-only file system

[Harald Dunkel]

Hi folks,

since I moved from lxc 4.0.4 to 4.0.6 I get

# echo 0 >/proc/sys/net/ipv4/ip_forward
bash: /proc/sys/net/ipv4/ip_forward: Read-only file system

in the container. The man page says

lxc.mount.auto
specify which standard kernel file systems should be
automatically mounted. This may dramatically simplify
the configuration. The file systems are:

o proc:mixed (or proc): mount /proc as read-write, but
remount /proc/sys and /proc/sysrq-trigger read-only
for security / container isolation purposes.

o proc:rw: mount /proc as read-write

How comes it worked before? Hopefully I am not too blind to see,
but the git log doesn't tell that this has been changed.

Every indication of wisdom and knowledge shown here is highly
appreciated

Harri

[Harald Dunkel]

On 2/4/21 3:32 PM, Harald Dunkel wrote:
>
> How comes it worked before? Hopefully I am not too blind to see,
> but the git log doesn't tell that this has been changed.
>

PS: I found

af9dd246df7c99740f153682e0eb427f1426693d
unmounted proc/sys/net if dropping CAP_NET_ADMIN

apparently introducing the problem for 4.0.6, and

952ab618268b4af2773ed9d8fade817363c28a5c
conf: fix CAP_NET_ADMIN-based mount handling

563ec46266b8967f0ee60e0032bbe66b3b37207c
conf: fix containers retaining CAP_NET_ADMIN

providing the fix (hopefully). Did I miss other related fixes?

Since breaking /proc is a very serious problem I wonder if it would
be reasonable to do an early release lxc 4.0.7, including these fixes?

Regards
Harri