https://github.com/docker/docker/pull/16632 I added this patch because I remember seeing bugzillas and issues requesting this feature. Docker felt that it was too dangerous to allow users to shoot themselves in the foot with it. Basically the patch would allow a user to specify specific sysctls to set within a container, before the container got setup. The problem is the kernel does do a good job of identifying whether the sysctl is namespaced, or changing the sysctl will effect the entire system. The problem with closing it, is that we continue to have no way of ever setting a container sysctl before pid 1 gets started in the container. Docker did suggest that they now support docker exec --privileged to exec a shell into a container which could set the sysctl, but of course this would only be possible after the container was started. If you know of use cases that this was a show stopper for, we need to know what they are. Dan |