[Lxc-users] kernel.shmmax in LXC

Fajar A. Nugraha list at fajar.net
Fri Jun 8 08:27:58 UTC 2012


On Fri, Jun 8, 2012 at 2:58 PM, Daniel Lezcano <daniel.lezcano at free.fr> wrote:
> On 06/07/2012 12:45 PM, Jan Den Ouden wrote:
>> Hi,
>>
>> About a week ago I posted exactly the same question on this list, but I
>> didn't get any responses. I have googled high and low for the answer to
>> this, but no result. It's not related to capabilities, because you can only
>> drop capabilities, not add them. It's not related to the cgroup memory
>> controller, because that seems to deal with total memory, not shared
>> memory. Therefore, I think it's a bug.
>
> I tried on a 3.0.0 kernel version and that works. Isn't possible this is
> related to app armor ?

Yep, that should be it, as testing with apparmor disabled the
following works on guest container in my test system

# cat /proc/sys/kernel/shmmax
33554432
# echo 335544320 > /proc/sys/kernel/shmmax
# cat /proc/sys/kernel/shmmax
335544320

However the apparmor problem might not seem obvious because there's no
apparmor warning on syslog when you try to set shmmax with apparmor
enabled. Also:
(1) If you ONLY uncomment "lxc.aa_profile=unconfined" (with apparmor
still enabled), lxc-start failed with
lxc-start: No such file or directory - failed to change apparmor
profile to unconfined
(2) If you ONLY add /etc/apparmor.d/usr.bin.lxc-start symlink to
/etc/apparmor.d/disable, you'd still get permission denied error
(3) If you ONLY disable apparmor entirely (/etc/init.d/apparmor
teardown), lxc-start failed with
lxc-start: No such file or directory - failed to change apparmor
profile to lxc-container-default
(4) Combining (1) and (2), or (1) and (3), you can set shmmax from
inside the guest container

so there's probably still a bug (or more) in ubuntu's apparmor-lxc combo.

-- 
Fajar




More information about the lxc-users mailing list