The ip_vs kernel module does not exist in the unprivileged container /proc

On the host, “ip_vs” is loaded, and “/proc/sys/net/ipv4/vs/*” exists, but
On the container, “/proc/sys/net/ipv4/vs” exists, but “/proc/sys/net/ipv4/vs/*” does not.
How can I make it work in an unprivileged container?
Thank you very much for your help.

user@host:~$ lsmod | grep ip_vs
ip_vs                 155648  1 xt_ipvs
nf_conntrack          139264  10 xt_conntrack,nf_nat,xt_state,xt_nat,openvswitch,nf_conntrack_netlink,nf_conncount,xt_MASQUERADE,ip_vs,xt_REDIRECT
nf_defrag_ipv6         24576  3 nf_conntrack,openvswitch,ip_vs
libcrc32c              16384  7 nf_conntrack,nf_nat,openvswitch,btrfs,xfs,raid456,ip_vs

user@host:~$ ls -l /proc/sys/net/ipv4/vs/
total 0
-rw-r--r-- 1 root root 0 Jan 28 06:24 am_droprate
-rw-r--r-- 1 root root 0 Jan 28 06:24 amemthresh
-rw-r--r-- 1 root root 0 Jan 28 06:24 backup_only
-rw-r--r-- 1 root root 0 Jan 28 06:24 cache_bypass
-rw-r--r-- 1 root root 0 Jan 28 06:24 conn_reuse_mode
-rw-r--r-- 1 root root 0 Jan 28 06:24 conntrack
-rw-r--r-- 1 root root 0 Jan 28 06:24 drop_entry
-rw-r--r-- 1 root root 0 Jan 28 06:24 drop_packet
-rw-r--r-- 1 root root 0 Jan 28 06:24 expire_nodest_conn
-rw-r--r-- 1 root root 0 Jan 28 06:24 expire_quiescent_template
-rw-r--r-- 1 root root 0 Jan 28 06:24 ignore_tunneled
-rw-r--r-- 1 root root 0 Jan 28 06:24 nat_icmp_send
-rw-r--r-- 1 root root 0 Jan 28 06:24 pmtu_disc
-rw-r--r-- 1 root root 0 Jan 28 06:24 schedule_icmp
-rw-r--r-- 1 root root 0 Jan 28 06:24 secure_tcp
-rw-r--r-- 1 root root 0 Jan 28 06:24 sloppy_sctp
-rw-r--r-- 1 root root 0 Jan 28 06:24 sloppy_tcp
-rw-r--r-- 1 root root 0 Jan 28 06:24 snat_reroute
-rw-r--r-- 1 root root 0 Jan 28 06:24 sync_persist_mode
-rw-r--r-- 1 root root 0 Jan 28 06:24 sync_ports
-rw-r--r-- 1 root root 0 Jan 28 06:24 sync_qlen_max
-rw-r--r-- 1 root root 0 Jan 28 06:24 sync_refresh_period
-rw-r--r-- 1 root root 0 Jan 28 06:24 sync_retries
-rw-r--r-- 1 root root 0 Jan 28 06:24 sync_sock_size
-rw-r--r-- 1 root root 0 Jan 28 06:24 sync_threshold
-rw-r--r-- 1 root root 0 Jan 28 06:24 sync_version

root@container:~# lsmod | grep ip_vs
ip_vs                 155648  1 xt_ipvs
nf_conntrack          139264  10 xt_conntrack,nf_nat,xt_state,xt_nat,openvswitch,nf_conntrack_netlink,nf_conncount,xt_MASQUERADE,ip_vs,xt_REDIRECT
nf_defrag_ipv6         24576  3 nf_conntrack,openvswitch,ip_vs
libcrc32c              16384  7 nf_conntrack,nf_nat,openvswitch,btrfs,xfs,raid456,ip_vs

root@container:~# ls -l /proc/sys/net/ipv4/vs/
total 0

user@host:~$lxc config set container  security.privileged 1
user@host:~$lxc restart container

root@container:~# ls -l /proc/sys/net/ipv4/vs/
total 0
-rw-r--r-- 1 root root 0 Jan 28 06:26 am_droprate
-rw-r--r-- 1 root root 0 Jan 28 06:26 amemthresh
-rw-r--r-- 1 root root 0 Jan 28 06:26 backup_only
-rw-r--r-- 1 root root 0 Jan 28 06:26 cache_bypass
-rw-r--r-- 1 root root 0 Jan 28 06:26 conn_reuse_mode
-rw-r--r-- 1 root root 0 Jan 28 06:26 conntrack
-rw-r--r-- 1 root root 0 Jan 28 06:26 drop_entry
-rw-r--r-- 1 root root 0 Jan 28 06:26 drop_packet
-rw-r--r-- 1 root root 0 Jan 28 06:26 expire_nodest_conn
-rw-r--r-- 1 root root 0 Jan 28 06:26 expire_quiescent_template
-rw-r--r-- 1 root root 0 Jan 28 06:26 ignore_tunneled
-rw-r--r-- 1 root root 0 Jan 28 06:26 nat_icmp_send
-rw-r--r-- 1 root root 0 Jan 28 06:26 pmtu_disc
-rw-r--r-- 1 root root 0 Jan 28 06:26 schedule_icmp
-rw-r--r-- 1 root root 0 Jan 28 06:26 secure_tcp
-rw-r--r-- 1 root root 0 Jan 28 06:26 sloppy_sctp
-rw-r--r-- 1 root root 0 Jan 28 06:26 sloppy_tcp
-rw-r--r-- 1 root root 0 Jan 28 06:26 snat_reroute
-rw-r--r-- 1 root root 0 Jan 28 06:26 sync_persist_mode
-rw-r--r-- 1 root root 0 Jan 28 06:26 sync_ports
-rw-r--r-- 1 root root 0 Jan 28 06:26 sync_qlen_max
-rw-r--r-- 1 root root 0 Jan 28 06:26 sync_refresh_period
-rw-r--r-- 1 root root 0 Jan 28 06:26 sync_retries
-rw-r--r-- 1 root root 0 Jan 28 06:26 sync_sock_size
-rw-r--r-- 1 root root 0 Jan 28 06:26 sync_threshold
-rw-r--r-- 1 root root 0 Jan 28 06:26 sync_version
general info
user@host:~# uname -a
Linux host 5.4.0-58-generic #64-Ubuntu SMP Wed Dec 9 08:16:25 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

user@host:~# cat /etc/os-release 
NAME="Ubuntu"
VERSION="20.04.1 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.1 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
lxd version
user@host:~# snap list 
Name    Version   Rev    Tracking       Publisher   Notes
core18  20201210  1944   latest/stable  canonical✓  base
lxd     4.10      19009  latest/stable  canonical✓  -
snapd   2.48.2    10707  latest/stable  canonical✓  snapd

@brauner any ideas, is this possible?

It’s currently not namespaced:

if (!net_eq(net, &init_net)) {
	tbl = kmemdup(vs_vars, sizeof(vs_vars), GFP_KERNEL);
	if (tbl == NULL)
		return -ENOMEM;

	/* Don't export sysctls to unprivileged users */
	if (net->user_ns != &init_user_ns)
		tbl[0].procname = NULL;
} else
	tbl = vs_vars;

I currently have no idea whether this is safe to do. We could put it as
“to investigate” on the next roadmap.

2 Likes

Thank you for investigating the cause.
I discovered this issue when I ran docker swarm on a container.
It was beyond what I could manage, so I am full of gratitude for this help!