<div dir="ltr">Serge, I am able to reproduce with stock ubuntu 14.04 instances in aws, using the download template (lxc-create -n foo -t download -- -d ubuntu -a amd64 -r trusty). As you have mentioned, /proc is owned by nobody:nogroup, I tried starting the container with unconfined aa profile without any success.<div>
<br><div>Kernel version: 3.13.0-3</div><div>LXC: 1.0.5</div><div><br><div><br></div></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Aug 11, 2014 at 8:53 AM, Serge Hallyn <span dir="ltr"><<a href="mailto:serge.hallyn@ubuntu.com" target="_blank">serge.hallyn@ubuntu.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I currently have no problem either on trusty or utopic.<br>
<br>
My kernels are 3.16.0-6-generic and 3.13.0-24-generic . This doesn't<br>
match either of your kernels.<br>
<br>
Please show the container configuration file, as well as the<br>
contents of the apparmor policy the container is using and<br>
/etc/apparmor.d/abstractions/lxc/container-base<br>
<div class="HOEnZb"><div class="h5"><br>
Quoting Tiit Kaeeli (<a href="mailto:kaeeli@quretec.com">kaeeli@quretec.com</a>):<br>
> So something must be wrong in my configuration.<br>
><br>
> I have changed /usr/share/lxc/config/ubuntu.common.conf:<br>
><br>
> # lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0<br>
> lxc.mount.auto = proc:rw<br>
><br>
> And have not found anything else regarding mounting of /proc<br>
> But this does not help.<br>
><br>
> (server is running Ubuntu Trusty)<br>
><br>
><br>
><br>
> On Thu, 31 Jul 2014, Robert Pendell wrote:<br>
><br>
> >I just tested on my vps with Linode and I was still running on 3.14<br>
> >(they have 3.15 now) so I checked then rebooted and checked again.<br>
> >After reboot I was up to 3.15 as provided by the host. In both cases<br>
> >/proc as well as all of the contents was owned by root.<br>
> ><br>
> >shinji@icarus:~$ uname -a<br>
> >Linux <a href="http://icarus.robertpendell.com" target="_blank">icarus.robertpendell.com</a> 3.14.4-x86_64-linode40 #1 SMP Tue May<br>
> >13 12:25:05 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux<br>
> >shinji@icarus:~$ ls -ld /proc<br>
> >dr-xr-xr-x 124 root root 0 May 23 19:26 /proc<br>
> ><br>
> >shinji@icarus:~$ uname -a<br>
> >Linux <a href="http://icarus.robertpendell.com" target="_blank">icarus.robertpendell.com</a> 3.15.4-x86_64-linode45 #1 SMP Mon Jul 7<br>
> >08:42:36 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux<br>
> >shinji@icarus:~$ ls -ld /proc<br>
> >dr-xr-xr-x 98 root root 0 Jul 31 18:09 /proc<br>
> >Robert Pendell<br>
> ><a href="mailto:shinji@elite-systems.org">shinji@elite-systems.org</a><br>
> >A perfect world is one of chaos.<br>
> ><br>
> ><br>
> >On Thu, Jul 31, 2014 at 10:59 AM, Serge Hallyn <<a href="mailto:serge.hallyn@ubuntu.com">serge.hallyn@ubuntu.com</a>> wrote:<br>
> >>Quoting Tiit Kaeeli (<a href="mailto:kaeeli@quretec.com">kaeeli@quretec.com</a>):<br>
> >>>On Mon, 28 Jul 2014, Tiit Kaeeli wrote:<br>
> >>><br>
> >>>>Hi,<br>
> >>>><br>
> >>>>I am having a little issue setting kernel.shmmax in LXC<br>
> >>>>unprivileged container (lxc=1.0.4-0ubuntu0.1)<br>
> >>>><br>
> >>>>In <a href="https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1021411" target="_blank">https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1021411</a><br>
> >>>>it is stated, that it should be possible since lxc 0.7.5-3ubuntu60<br>
> >>>>At least there is no information, that it will only apply to<br>
> >>>>privileged containers.<br>
> >>>><br>
> >>>>I have also tried disabling apparmor and adding<br>
> >>>>lxc.mount.auto = proc:rw sys:rw<br>
> >>>>to container conf.<br>
> >>>><br>
> >>>>But still<br>
> >>>>sysctl: permission denied on key 'kernel.shmmax'<br>
> >>>>At the same time setting for example<br>
> >>>>net.ipv6.conf.all.disable_ipv6 succeeds!<br>
> >>>><br>
> >>>>mount -o remount,rw -t proc /proc /proc<br>
> >>>>mount: permission denied<br>
> >>>><br>
> >>>>/proc/ is owned by nobody.nogroup<br>
> >>>><br>
> >>>>What am I missing?<br>
> >>><br>
> >>><br>
> >>>Any ideas? can this be done at all on unprivileged containers?<br>
> >><br>
> >>Hi,<br>
> >><br>
> >>which kernel are yo uon?<br>
> >><br>
> >>I've just noticed that on my utopic (3.16 kernel) laptop I have the<br>
> >>same problem. All of /proc is owned by nobody:nogroup. On my 3.13<br>
> >>kernel /proc is owned by root, including /proc/sys/kernel/shmmax.<br>
> >><br>
> >>So this looks like a new kernel bug.<br>
> >><br>
> >>-serge<br>
> >>_______________________________________________<br>
> >>lxc-users mailing list<br>
> >><a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
> >><a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
> >_______________________________________________<br>
> >lxc-users mailing list<br>
> ><a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
> ><a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
><br>
> --<br>
><br>
> Tiit Kaeeli<br>
> OU Quretec<br>
> <a href="mailto:tiit.kaeeli@quretec.com">tiit.kaeeli@quretec.com</a><br>
> Tel:<a href="tel:%2B372%205%20070%20359" value="+3725070359">+372 5 070 359</a><br>
> _______________________________________________<br>
> lxc-users mailing list<br>
> <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
> <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a></div></div></blockquote></div><br></div>