[lxc-users] sysctl -p no longer allowed in container
Dan Kegel
dank at kegel.com
Tue Apr 29 20:11:21 UTC 2014
OK, it's not as benign as I thought; I can't even do the setting in the host
without disabling apparmor. So I guess I should file a bug against
ubuntu 14.04 apparmor. Thanks!
- Dan
On Tue, Apr 29, 2014 at 12:17 PM, Dan Kegel <dank at kegel.com> wrote:
> Think I should file a bug? (And against what?)
> - Dan
>
> On Tue, Apr 29, 2014 at 12:15 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>> Quoting Dan Kegel (dank at kegel.com):
>>> My scripts were (unwisely) expecting to be able to do things like
>>> echo "kernel.sem = 250 65536 32 32768" | sudo tee -a /etc/sysctl.conf
>>> sudo /sbin/sysctl -p
>>> inside the container. Tsk. I seem to have gotten away with it in
>>> Ubuntu 12.04, but Ubuntu 14.04 complains
>>> + sudo /sbin/sysctl -p
>>> sysctl: permission denied on key 'kernel.sem'
>>>
>>> That makes sense -- containers shouldn't be able to tweak kernel parameters.
>>> So now I'm rejiggering my scripts to do that outside the container.
>>>
>>> Onwards!
>>
>> Hm, actually i think that one should be fine. The apparmor profile
>> excempts /proc/sys/kernel/shm*, and it looks like /proc/sys/kernel/sem
>> should also be allowed as it looks to be correctly namespaced - i.e
>> the container won't affect the host's settings.
>>
>> -serge
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list