[Lxc-users] kernel.shmmax in LXC

Jan Den Ouden jan.ml at denouden.info
Wed Jun 13 11:46:48 UTC 2012 

I can confirm that using (1) and (2) together solves the problem. Many
thanks again for your help!

On Sat, Jun 9, 2012 at 6:56 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:

> On 06/09/2012 06:38 AM, Fajar A. Nugraha wrote:
> > On Fri, Jun 8, 2012 at 8:47 PM, Stéphane Graber <stgraber at ubuntu.com>
> wrote:
> >> On 06/08/2012 04:27 AM, Fajar A. Nugraha wrote:
> >>> On Fri, Jun 8, 2012 at 2:58 PM, Daniel Lezcano <daniel.lezcano at free.fr>
> wrote:
> >>>> On 06/07/2012 12:45 PM, Jan Den Ouden wrote:
> >>>>> Hi,
> >>>>>
> >>>>> About a week ago I posted exactly the same question on this list,
> but I
> >>>>> didn't get any responses. I have googled high and low for the answer
> to
> >>>>> this, but no result. It's not related to capabilities, because you
> can only
> >>>>> drop capabilities, not add them. It's not related to the cgroup
> memory
> >>>>> controller, because that seems to deal with total memory, not shared
> >>>>> memory. Therefore, I think it's a bug.
> >>>>
> >>>> I tried on a 3.0.0 kernel version and that works. Isn't possible this
> is
> >>>> related to app armor ?
> >>>
> >>> Yep, that should be it, as testing with apparmor disabled the
> >>> following works on guest container in my test system
> >>>
> >>> # cat /proc/sys/kernel/shmmax
> >>> 33554432
> >>> # echo 335544320 > /proc/sys/kernel/shmmax
> >>> # cat /proc/sys/kernel/shmmax
> >>> 335544320
> >>>
> >>> However the apparmor problem might not seem obvious because there's no
> >>> apparmor warning on syslog when you try to set shmmax with apparmor
> >>> enabled. Also:
> >>> (1) If you ONLY uncomment "lxc.aa_profile=unconfined" (with apparmor
> >>> still enabled), lxc-start failed with
> >>> lxc-start: No such file or directory - failed to change apparmor
> >>> profile to unconfined
> >>> (2) If you ONLY add /etc/apparmor.d/usr.bin.lxc-start symlink to
> >>> /etc/apparmor.d/disable, you'd still get permission denied error
> >>> (3) If you ONLY disable apparmor entirely (/etc/init.d/apparmor
> >>> teardown), lxc-start failed with
> >>> lxc-start: No such file or directory - failed to change apparmor
> >>> profile to lxc-container-default
> >>> (4) Combining (1) and (2), or (1) and (3), you can set shmmax from
> >>> inside the guest container
> >>>
> >>> so there's probably still a bug (or more) in ubuntu's apparmor-lxc
> combo.
> >>
> >> Please reboot your machine ;) the unconfined profile problem (giving you
> >> the No such file or directory) was a kernel bug and was fixed a couple
> >> of weeks ago, letting me think you're running an out of date kernel.
> >
> > Probably. Although there's no "please restart to complete update"
> > warning on my desktop. It's not really urgent for me though, so I'll
> > just reboot later when possible.
> >
> > Thanks for letting me know that this is a fixed issue.
>
> Actually I was wrong, the fixed kernel hasn't been pushed to -updates
> yet, it's still in -proposed. So unconfined will be working whenever you
> get the next kernel update (should be released in a few days.)
>
> >>
> >> As for shmmax, it's simply not whitelisted at the moment as it wasn't in
> >> the list of known-safe container aware proc entries, we probably should
> >> whitelist it (after doing some extra checking).
> >
> > BTW, I thought that all blockings done by selinux would show up on
> > syslog? Am I looking at the wrong place?
> >
> > If there were a warning on syslog, the OP would've probably been able
> > to solve their problem by themselves earlier.
> >
>
>
> --
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20120613/557f16ae/attachment.html>

More information about the lxc-users mailing list