Cannot run sysctl command in Dockerfile

Question

I'm trying to make my first dockerfile(I'm new to this), and I need the system to run the command sysctl -w kernel.randomize_va_space=0 (its an lab env.), but I get the error:

sysctl: setting key "kernel.randomize_va_space": Read-only file system

Whenever I try to build the dockerfile, any suggestion how to get this around ?

FROM avatao/lesp:ubuntu-14.04

USER root

COPY ./solvable/ /

RUN sysctl -w kernel.randomize_va_space=0

VOLUME ["/tmp"]

EXPOSE 2222

WORKDIR /home/user/

USER user

CMD ["/usr/sbin/sshd", "-Df", "/etc/ssh/sshd_config_user"]

Answer 1

Since Docker containers share the host system's kernel and its settings, a Docker container usually can't run sysctl at all. (You especially can't disable security-critical settings like this one.) You can set a limited number of sysctls on a container-local basis with docker run --sysctl, but the one you mention isn't one of these.

Furthermore, you also can't force changes like this in a Dockerfile. A Docker image only contains a filesystem and some associated metadata, and not any running processes or host-system settings. Even if this RUN sysctl worked, if you rebooted your system and then launched a container from the image, that setting would be lost.

Given what you've shown in this Dockerfile – customized Linux kernel settings, no specific application running, an open-ended ssh daemon as the container process – you might consider whether a virtual machine fits your needs better. You can use a tool like Packer to reproducibly build a VM image in much the same way a Dockerfile builds a Docker image. Since a VM does have an isolated kernel, you can run that sysctl command there and it will work, maybe via normal full-Linux-installation methods like an /etc/sysctl.conf file.