[Lxc-users] kernel.shmmax in LXC

Stéphane Graber stgraber at ubuntu.com
Sat Jun 9 17:56:40 UTC 2012


On 06/09/2012 06:38 AM, Fajar A. Nugraha wrote:
> On Fri, Jun 8, 2012 at 8:47 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
>> On 06/08/2012 04:27 AM, Fajar A. Nugraha wrote:
>>> On Fri, Jun 8, 2012 at 2:58 PM, Daniel Lezcano <daniel.lezcano at free.fr> wrote:
>>>> On 06/07/2012 12:45 PM, Jan Den Ouden wrote:
>>>>> Hi,
>>>>>
>>>>> About a week ago I posted exactly the same question on this list, but I
>>>>> didn't get any responses. I have googled high and low for the answer to
>>>>> this, but no result. It's not related to capabilities, because you can only
>>>>> drop capabilities, not add them. It's not related to the cgroup memory
>>>>> controller, because that seems to deal with total memory, not shared
>>>>> memory. Therefore, I think it's a bug.
>>>>
>>>> I tried on a 3.0.0 kernel version and that works. Isn't possible this is
>>>> related to app armor ?
>>>
>>> Yep, that should be it, as testing with apparmor disabled the
>>> following works on guest container in my test system
>>>
>>> # cat /proc/sys/kernel/shmmax
>>> 33554432
>>> # echo 335544320 > /proc/sys/kernel/shmmax
>>> # cat /proc/sys/kernel/shmmax
>>> 335544320
>>>
>>> However the apparmor problem might not seem obvious because there's no
>>> apparmor warning on syslog when you try to set shmmax with apparmor
>>> enabled. Also:
>>> (1) If you ONLY uncomment "lxc.aa_profile=unconfined" (with apparmor
>>> still enabled), lxc-start failed with
>>> lxc-start: No such file or directory - failed to change apparmor
>>> profile to unconfined
>>> (2) If you ONLY add /etc/apparmor.d/usr.bin.lxc-start symlink to
>>> /etc/apparmor.d/disable, you'd still get permission denied error
>>> (3) If you ONLY disable apparmor entirely (/etc/init.d/apparmor
>>> teardown), lxc-start failed with
>>> lxc-start: No such file or directory - failed to change apparmor
>>> profile to lxc-container-default
>>> (4) Combining (1) and (2), or (1) and (3), you can set shmmax from
>>> inside the guest container
>>>
>>> so there's probably still a bug (or more) in ubuntu's apparmor-lxc combo.
>>
>> Please reboot your machine ;) the unconfined profile problem (giving you
>> the No such file or directory) was a kernel bug and was fixed a couple
>> of weeks ago, letting me think you're running an out of date kernel.
> 
> Probably. Although there's no "please restart to complete update"
> warning on my desktop. It's not really urgent for me though, so I'll
> just reboot later when possible.
> 
> Thanks for letting me know that this is a fixed issue.

Actually I was wrong, the fixed kernel hasn't been pushed to -updates
yet, it's still in -proposed. So unconfined will be working whenever you
get the next kernel update (should be released in a few days.)

>>
>> As for shmmax, it's simply not whitelisted at the moment as it wasn't in
>> the list of known-safe container aware proc entries, we probably should
>> whitelist it (after doing some extra checking).
> 
> BTW, I thought that all blockings done by selinux would show up on
> syslog? Am I looking at the wrong place?
> 
> If there were a warning on syslog, the OP would've probably been able
> to solve their problem by themselves earlier.
> 


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20120609/6f658d81/attachment.pgp>


More information about the lxc-users mailing list