Privileged mode
The SR-SIM
should be run in privileged mode as shown in the examples in this
document as it requires specific permissions from the host machine.
If needed, the SR-SIM may be run in non-privileged mode. However, the following operational capabilities must be provided specifically for the containers:
- CHOWN: to ensure the contents of cfX: are owned by the user “sros”
- SYS_CHROOT: to ensure the contents of cfX: are owned by the user “sros”
- IPC_LOCK: to facilitate memory management (mmap)
- NET_ADMIN: to allow for network interface control
- NET_BIND_SERVICES: to enable the ability to open ports < 1024
- NET_RAW: to allow for network socket control
- SYS_RESOURCE: to ensure access to message queues and file descriptors
- SYS_TIME: to manage clock and timing functions
Additionally, the following SYSCTL settings should be provided:
- net.ipv4.conf.all.rp_filter: Set to
0to disable reverse-path filtering - net.ipv4.conf.default.rp_filter: Set to
0to disable reverse-path filtering - net.ipv6.conf.all.accept_ra: Set to
0to prevent sending router advertisement solicitations - net.ipv6.conf.default.accept_ra: Set to
0to prevent sending router advertisement solicitations