[lxc-users] sysctl -p no longer allowed in container
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Apr 29 19:15:24 UTC 2014
Quoting Dan Kegel (dank at kegel.com):
> My scripts were (unwisely) expecting to be able to do things like
> echo "kernel.sem = 250 65536 32 32768" | sudo tee -a /etc/sysctl.conf
> sudo /sbin/sysctl -p
> inside the container. Tsk. I seem to have gotten away with it in
> Ubuntu 12.04, but Ubuntu 14.04 complains
> + sudo /sbin/sysctl -p
> sysctl: permission denied on key 'kernel.sem'
>
> That makes sense -- containers shouldn't be able to tweak kernel parameters.
> So now I'm rejiggering my scripts to do that outside the container.
>
> Onwards!
Hm, actually i think that one should be fine. The apparmor profile
excempts /proc/sys/kernel/shm*, and it looks like /proc/sys/kernel/sem
should also be allowed as it looks to be correctly namespaced - i.e
the container won't affect the host's settings.
-serge
More information about the lxc-users
mailing list