well you found it already it’s just straight hardcoded in from
net/core/net_namespace.c:
static int __net_init net_defaults_init_net(struct net *net)
{
net->core.sysctl_somaxconn = SOMAXCONN;
return 0;
}
That’s the default value that is used and after that the sysctl comes and changes it. but not for containers, because of this - I tried to remove it and afterwards the root user of an unprivileged container could change the value for the container (and only the container - the host value is unchanged and other containers are not affected too)
In fact everything is almost perfect like this, the only part that could be better is an option to leave the ‘file’ /proc/sys/net/core/somaxconn owned by the ‘real’ root so it could be setup by the lxd manager (with the raw.lxc key) and only used by the container software. I tried that and it definitely works.
It seems definitely wrong to hide the key. It should be owned by the global root instead.
As of your problem, my guess is that if you need a way, you can always compile your own kernel and setup the default value SOMAXCONN higher. It will not really hurt standard software, just eat resources as the default queues may be higher (if the application software don’t set the value itself to a saner value). Maintenance headeache yes, but it beats a non working system.