OS Version/Build: Oracle Linux 7.1 With UEK Kernel 4.1.12
Docker version: 1.12.1

Hey folks, I hope this isn’t something obvious I missed, but I’ve been fiddling with trying to get this working for several hours and have hit a wall.

I’m testing using the --sysctl option to set net.core.rmem_max and net.core.wmem_max for the container.

However, I receive the following error when the container tries starting:

Error response from daemon: oci runtime error: open /proc/sys/net/core/rmem_max: permission denied

Any suggestions on where to look to resolve this?

If it’s kernel setting just set it on the host. The kernel used by all containers on given computer is the same.

Containers don’t have access to modify these kinds of settings by default. It’d be too privileged so the default seccomp profile etc. has been tuned to try and optimize the right convenience vs. security sweet spot.

My understanding, which may be wrong, is that the network configuration for the containers is namespaced allowing per-container tuning of network parameters.

Is my understanding correct?

Sort of, but the kernel settings are shared by all containers. Each container is run in a unique network namespace but this is for isolation purposes (e.g., each container can have its own loopback interface / localhost and not interfere with each other), not resource control. sysctl is intended for getting and setting kernel parameters and these are shared by all processes running on the kernel (i.e., all containers since containers on a given box are just processes on the same kernel with some special properties).

I see. Thanks for the clarification!

I have a question regarding this topic.

I am running Docker 1.11.2 on Centos 7.
I set net.core.somaxconn = 1024 on the host. When I bring up the official Centos 7 container and run sysctl -a | grep somaxconn from inside the container, it shows that it is set to 128.

Is it using the setting on the host despite it saying something else in the container?