Is there a way to increase net.core.somaxconn in unprivileged containers?
Based on my short research this key was “namespaced” and very long time ago. So, it should be available for tuning. And it could be easily confirmed with “ip netns …” (change somaxconn, create new ns and change in it value as you want).
But when you’re using unprivileged container you also have separate user namespace. Using of userns breaks it for LXD-managed containers and even for Docker (w/enabled userns). And things will get even worse, when you read “man listen”:
If the backlog argument is greater than the value in /proc/sys/net/core/somaxconn, then it is silently truncated to that value; the default value in this file is 128. In kernels before
2.4.25, this limit was a hard coded value, SOMAXCONN, with the value 128.
So, you end up with socket and 128 as default value for sockets backlog. People with Kubernetes found a workaround with privileged init-containers. For example this article - http://bogdan-albei.blogspot.com/2017/09/kernel-tuning-in-kubernetes.html. It looks like a huge headache, but it fixes the problem.
Not sure, that I was digging at right direction, but ended up with these:
It looks like it was “broken” very long time ago and based commit’s commentary it was made intentionally (i.e. it’s not a bug). So, question still remains - is there a way to achieve security and performance? I.e. tune somaxconn w/out creating privileged container?