<div dir="ltr"><div>I thought I'd write back (a couple of months later!) to say that I found a way to solve my problem in case it helps someone else or there's a better way to do this. To recap, I'm using Ubuntu 16.04 with latest lxd from snap and trying to run as container non-root user a program in a privileged container that needs to increase thread real-time priorities. I've set</div><div style="margin-left:40px"> raw.lxc: |-<br> lxc.cap.drop=<br> limits.kernel.rtprio=99<br> security.privileged: "true"</div><div>in the config, and this is sufficient to allow container root to increase real-time priorities, but not non-root users, even though the limit files in /etc/security should allow this, and I have both container user ids and group ids mapped to ids that can do this on the host.<br></div><div><br></div><div>Solution: if in the container I use 'sudo prlimit -r99 -p$$' to raise the limit on the non-root user's shell process, any program I now start from the shell as non-root user can now raise real-time priorities. This works well enough for me, but it would be preferable if there's a way to handle it in the container configuration.</div><div><br></div><div>Thanks!</div><div><br></div><div>Mark<br></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 9, 2019 at 11:46 AM Serge E. Hallyn <<a href="mailto:serge@hallyn.com">serge@hallyn.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">It looks like the kernel is gating this on having CAP_SYS_NICE<br>
in the initial user namespace.<br>
<br>
-serge<br>
<br>
On Mon, Apr 01, 2019 at 04:10:57PM -0500, Mark Paterson wrote:<br>
> Any answer on this?<br>
> I'm running lxc from snap, on Ubuntu 16.04. We have a couple of big<br>
> applications at work that I'd like to run in lxc, but only if there is a<br>
> way to make elevated privileges work.<br>
> <br>
> On Wed, Mar 20, 2019 at 2:00 PM Mark Paterson <<a href="mailto:markpaters@gmail.com" target="_blank">markpaters@gmail.com</a>> wrote:<br>
> <br>
> > Hi all!<br>
> > I am trying to run as a non-root user an application in a privileged<br>
> > container that requires setting elevated thread priority. From within the<br>
> > container, elevating priority works if I use sudo, so I can tell that the<br>
> > container is not dropping capabilities. The non-root user is set up in<br>
> > /etc/security/limits.d for rtprio, and is mapped via raw.idmap to a host<br>
> > user with equivalent privileges that work on the host side.<br>
> ><br>
> > However, if I try in the container to chrt a process to a higher priority,<br>
> > I get "Operation not permitted." What am I missing?<br>
> ><br>
> > Thanks!<br>
> ><br>
> > Mark<br>
> ><br>
<br>
> _______________________________________________<br>
> lxc-users mailing list<br>
> <a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainers.org</a><br>
> <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
<br>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
</blockquote></div>