Comment 6 for bug 1685677

Yep there are a lot of host-specific sysctls that cannot be set within the container, and will error out as shown above if they affect the host, not only the container.

There are also sysctls that can be validly set within the container, such as net.ipv4.ip_nonlocal_bind. nonlocal_bind affects only the container it is set in, does not throw an error, and works exactly as intended.

It is understandable that systemd and/or the container template is cautious about applying sysctls in container, but completely opting out of any sysctl application, even when valid sysctls are set using standard sysctl persistence methods seems like a valid bug to me.

The problem isn't that I can't sysctl set the nonlocal_bind setting. My problem is that the OS does not allow me to do so using normal sysctl persistence methods.