<span style>I can confirm that using (1) and (2) together solves the problem. Many thanks again for your help!</span><br><br><div class="gmail_quote">On Sat, Jun 9, 2012 at 6:56 PM, Stéphane Graber <span dir="ltr"><<a href="mailto:stgraber@ubuntu.com" target="_blank">stgraber@ubuntu.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 06/09/2012 06:38 AM, Fajar A. Nugraha wrote:<br>
> On Fri, Jun 8, 2012 at 8:47 PM, Stéphane Graber <<a href="mailto:stgraber@ubuntu.com">stgraber@ubuntu.com</a>> wrote:<br>
>> On 06/08/2012 04:27 AM, Fajar A. Nugraha wrote:<br>
>>> On Fri, Jun 8, 2012 at 2:58 PM, Daniel Lezcano <<a href="mailto:daniel.lezcano@free.fr">daniel.lezcano@free.fr</a>> wrote:<br>
>>>> On 06/07/2012 12:45 PM, Jan Den Ouden wrote:<br>
>>>>> Hi,<br>
>>>>><br>
>>>>> About a week ago I posted exactly the same question on this list, but I<br>
>>>>> didn't get any responses. I have googled high and low for the answer to<br>
>>>>> this, but no result. It's not related to capabilities, because you can only<br>
>>>>> drop capabilities, not add them. It's not related to the cgroup memory<br>
>>>>> controller, because that seems to deal with total memory, not shared<br>
>>>>> memory. Therefore, I think it's a bug.<br>
>>>><br>
>>>> I tried on a 3.0.0 kernel version and that works. Isn't possible this is<br>
>>>> related to app armor ?<br>
>>><br>
>>> Yep, that should be it, as testing with apparmor disabled the<br>
>>> following works on guest container in my test system<br>
>>><br>
>>> # cat /proc/sys/kernel/shmmax<br>
>>> 33554432<br>
>>> # echo 335544320 > /proc/sys/kernel/shmmax<br>
>>> # cat /proc/sys/kernel/shmmax<br>
>>> 335544320<br>
>>><br>
>>> However the apparmor problem might not seem obvious because there's no<br>
>>> apparmor warning on syslog when you try to set shmmax with apparmor<br>
>>> enabled. Also:<br>
>>> (1) If you ONLY uncomment "lxc.aa_profile=unconfined" (with apparmor<br>
>>> still enabled), lxc-start failed with<br>
>>> lxc-start: No such file or directory - failed to change apparmor<br>
>>> profile to unconfined<br>
>>> (2) If you ONLY add /etc/apparmor.d/usr.bin.lxc-start symlink to<br>
>>> /etc/apparmor.d/disable, you'd still get permission denied error<br>
>>> (3) If you ONLY disable apparmor entirely (/etc/init.d/apparmor<br>
>>> teardown), lxc-start failed with<br>
>>> lxc-start: No such file or directory - failed to change apparmor<br>
>>> profile to lxc-container-default<br>
>>> (4) Combining (1) and (2), or (1) and (3), you can set shmmax from<br>
>>> inside the guest container<br>
>>><br>
>>> so there's probably still a bug (or more) in ubuntu's apparmor-lxc combo.<br>
>><br>
>> Please reboot your machine ;) the unconfined profile problem (giving you<br>
>> the No such file or directory) was a kernel bug and was fixed a couple<br>
>> of weeks ago, letting me think you're running an out of date kernel.<br>
><br>
> Probably. Although there's no "please restart to complete update"<br>
> warning on my desktop. It's not really urgent for me though, so I'll<br>
> just reboot later when possible.<br>
><br>
> Thanks for letting me know that this is a fixed issue.<br>
<br>
</div></div>Actually I was wrong, the fixed kernel hasn't been pushed to -updates<br>
yet, it's still in -proposed. So unconfined will be working whenever you<br>
get the next kernel update (should be released in a few days.)<br>
<div class="im HOEnZb"><br>
>><br>
>> As for shmmax, it's simply not whitelisted at the moment as it wasn't in<br>
>> the list of known-safe container aware proc entries, we probably should<br>
>> whitelist it (after doing some extra checking).<br>
><br>
> BTW, I thought that all blockings done by selinux would show up on<br>
> syslog? Am I looking at the wrong place?<br>
><br>
> If there were a warning on syslog, the OP would've probably been able<br>
> to solve their problem by themselves earlier.<br>
><br>
<br>
<br>
--<br>
</div><div class="HOEnZb"><div class="h5">Stéphane Graber<br>
Ubuntu developer<br>
<a href="http://www.ubuntu.com" target="_blank">http://www.ubuntu.com</a><br>
<br>
</div></div><br>------------------------------------------------------------------------------<br>
Live Security Virtual Conference<br>
Exclusive live event will cover all the ways today's security and<br>
threat landscape has changed and how IT managers can respond. Discussions<br>
will include endpoint security, mobile security and the latest in malware<br>
threats. <a href="http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/" target="_blank">http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/</a><br>_______________________________________________<br>
Lxc-users mailing list<br>
<a href="mailto:Lxc-users@lists.sourceforge.net">Lxc-users@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/lxc-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/lxc-users</a><br>
<br></blockquote></div><br>