Isn't pulling current settings from init_net an isolation violation if init_net isn't the namespace you are in at the time you are creating the new namespace? The way I see it there are 2 possibilities: (a) you use some kernel (probably compile time) defaults (ie. what init_net gets when you boot machine) (b) you inherit from current namespace I'm not sure what the right choice is. For something like 'iptables configuration' it seems (a) is correct (come up with no firewall). For something like 'tcp socket memory limits' or 'bindv6only' or 'v6.default_use_tempaddr) it does seem like (b) is possibly more appropriate. That said I think there are cases where (a) is clearly correct and (b) is clearly not desirable (iptables conf being a prime example). After all a new namespace doesn't inherit interfaces from the namespace we're in when we create it. I can't think of any cases where (b) is clearly correct and (a) is clearly not desirable. [I guess this is less than clear for settings which auto scale at boot with available ram and/or number of cpus in the machine] Based on that doing (a) for everything may be the right choice (consistency trump...). This would imply network namespace you are in should have no effect on the new network namespace you are creating. OTOH, if I want to change some tcp mem tuning sysctl (or something like net.ipv6.conf.default.use_tempaddr = 2) it would be annoying if /etc/sysctl.conf didn't apply to non-init namespace. But perhaps this is better solved in userspace by loading some /etc/sysctls-for-new-network-namespaces.conf settings in some network namespace creating libraries. - Maciej _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers