<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Sep 13, 2016 at 3:38 AM, Gregory Lutostanski <span dir="ltr"><<a href="mailto:gregory.lutostanski@canonical.com" target="_blank">gregory.lutostanski@canonical.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div><div>Hey all.<br><br></div>Curious if anyone has experience with getting capabilities working in unprivileged containers. In particular I am trying to get mlock working...<br><br></div></div></div></div></div></div></div></blockquote><div><br></div><div><br></div><div>It should work. With a catch.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div></div>Everything works as expected running in an unprivileged container. For the lxc.cap.drop is the default (<span><span></span>mac_admin mac_override sys_time sys_module sys_rawio) I believe. So I would think that it would work as is... But it doesn't. I know nothing about capabilities other than "man capabilities". I would like it to work for running Vault in an unprivileged lxc (<a href="https://www.vaultproject.io/docs/config/index.html#disable_mlock" target="_blank">https://www.vaultproject.io/<wbr>docs/config/index.html#<wbr>disable_mlock</a>) or is that just crazy?<br><br></span></div><span>Is there some set of apparmor/privileges I can grant to the container other than going fully privileged that would cover this?<br><br></span></div><span>If anyone is curious I am running this test to see if it works as expected...<br><a href="https://github.com/linux-test-project/ltp/releases/tag/20160510" target="_blank">https://github.com/linux-test-<wbr>project/ltp/releases/tag/<wbr>20160510</a><br>(ltp-full-20160510/testcases/<wbr>kernel/syscalls/mlock/mlock01.<wbr>c)<br><br></span></div><span>Any input (even generic points in the right direction would be helpful).<br><br></span></div></div></div></blockquote><div><br></div><div><br></div><div>Run "ulimit -l" from the container's shell, and then see</div><div><a href="https://github.com/lxc/lxd/issues/745">https://github.com/lxc/lxd/issues/745</a> (in particular, <a href="https://github.com/lxc/lxd/issues/745#issuecomment-114077972">https://github.com/lxc/lxd/issues/745#issuecomment-114077972</a>)<br></div><div><a href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html">https://www.freedesktop.org/software/systemd/man/systemd.exec.html</a> (look for LimitMEMLOCK)<br></div><div><br></div><div>Adjust as needed, restart lxd. Should work.</div><div>I've tested mlock 32k memory in unpriv container, which works. Haven't personally tried adjusting the limit though.</div><div><br></div><div>-- </div><div>Fajar</div></div></div></div>