I'm building a container to tune kernel settings for a load balancer. I'd prefer to deploy those changes to the host in an image using a single privileged container. For example:
docker run --rm --privileged ubuntu:latest sysctl -w net.core.somaxconn=65535
In testing the changes take effect but only for that container. I was under the impression that with a fully privileged container changes to /proc would actually change the underlying OS.
$docker run --rm --privileged ubuntu:latest \
sysctl -w net.core.somaxconn=65535
net.core.somaxconn = 65535
$ docker run --rm --privileged ubuntu:latest \
/bin/bash -c "sysctl -a | grep somaxconn"
net.core.somaxconn = 128
Is this how privileged containers are supposed to work?
Am I just doing something silly?
What is the best way to make lasting changes?
Version Info:
Client version: 1.4.1
Client API version: 1.16
Go version (client): go1.3.3
Git commit (client): 5bc2ff8
OS/Arch (client): linux/amd64
Server version: 1.4.1
Server API version: 1.16
Go version (server): go1.3.3
Git commit (server): 5bc2ff8
Example command with mounted /proc:
$ docker run -v /proc:/proc ubuntu:latest \
/bin/bash -c "sysctl -a | grep local_port"
net.ipv4.ip_local_port_range = 32768 61000
$ docker run -v /proc:/proc --privileged ubuntu:latest \
/bin/bash -c "sysctl -p /updates/sysctl.conf"
net.ipv4.ip_local_port_range = 2000 65000
$ docker run -v /proc:/proc ubuntu:latest \
/bin/bash -c "sysctl -a | grep local_port"
net.ipv4.ip_local_port_range = 32768 61000
$ docker run -v /proc:/proc --privileged ubuntu:latest \
/bin/bash -c "sysctl -a | grep local_port"
net.ipv4.ip_local_port_range = 32768 61000