Comment 5 for bug 1685677

Ok, after discussing a bit further with Evan C, I am not clearly or accurately describing what's potentially going on. In general, though, certain sysctl items only make sense on the host and not inside containers. The syncookies example stands, because only the kernel runs the TCP stack and any change to that value will impact everything running on the host.

But, the reason some of these values do not appear in /proc/sys tree is most likely due to the templates used to create these containers. It is possible to hand craft a container that displays the entire contents of the host's /proc/sys structure. However, there may well be code within the kernel components for namespaces and cgroups that prevent a container from writing to specific values still.

So my initial "gut feeling" was right, but for the wrong reason. :)