The kernel command-line for Docker uses vsyscall=emulate. I’d like to instead specify vsyscall=native.

How can I do this?

$ ps aux | grep -i docker | grep vsys
riggle           18413   0.7 20.2  7006584 3394704   ??  S    Sun03PM  50:39.14 /Applications/Docker.app/Contents/MacOS/com.docker.hyperkit -A -m 4096M -c 4 -u -s 0:0,hostbridge -s 31,lpc -s 2:0,virtio-vpnkit,uuid=dd100a8a-88db-4020-baf1-6766c062429d,path=/Users/riggle/Library/Containers/com.docker.docker/Data/s50,macfile=/Users/riggle/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/mac.0 -s 3,ahci-hd,file:///Users/riggle/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/Docker.qcow2?sync=1&buffered=1,format=qcow,qcow-config=discard=true;compact_after_unmaps=0 -s 4,virtio-9p,path=/Users/riggle/Library/Containers/com.docker.docker/Data/s40,tag=db -s 5,virtio-rnd -s 6,virtio-9p,path=/Users/riggle/Library/Containers/com.docker.docker/Data/s51,tag=port -s 7,virtio-sock,guest_cid=3,path=/Users/riggle/Library/Containers/com.docker.docker/Data,guest_forwards=2376;1525 -l com1,autopty=/Users/riggle/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/tty,log=/Users/riggle/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/console-ring -f kexec,/Applications/Docker.app/Contents/Resources/moby/vmlinuz64,/Applications/Docker.app/Contents/Resources/moby/initrd.img,earlyprintk=serial console=ttyS0 com.docker.driver="com.docker.driver.amd64-linux", com.docker.database="com.docker.driver.amd64-linux" ntp=gateway mobyplatform=mac **vsyscall=emulate** -F /Users/riggle/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/hypervisor.pid

There is no way to do this currently. I am interested: what is your use case? We generally avoid exposing complexity to the user but if it is necessary for some reason, we’d love to help you. You may also be interested in https://github.com/docker/docker/issues/28705 which indicates that changing the vsyscall handling may have a security impact due to fixed addressing.

The reason for changing the setting is exactly related to that.

Real machines running may have vsyscall=native enabled. In order to use Docker run penetration testing tools (specifically Metasploit and Pwntools) which target this behavior in their integration tests, the setting needs to be mutable.

I need to change the kernel parameter options as well. My use case is to change the max_loop option so I will get a needed amount of loop back devices auto generated and available to docker containers. This is required by our docker development staging environment which uses many loopback devices for various reasons. This staging environment would be awesome for some of our support engineers but they do not have access to linux machines in which we can configure this correctly.

I didn’t see an issue in github on this request yet, so if you add one I wouldn’t mind if the configuration was hidden deeply in the git configuration database… as long as it is documented somewhere.