[lxc-users] sysctl -p no longer allowed in container

Dan Kegel dank at kegel.com
Tue Apr 29 20:56:56 UTC 2014


This may be a jinxed machine.  I installed it from trusty beta 2.  I
should probably try again with the released version.

Inside the container:

/proc/self/attr/current says lxc-container-default (enforce)
There's no line in syslog, and I don't have an audit/audit.log.
strace shows
open("/proc/sys/kernel/sem", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCESS
apt-cache policy apparmor says it's not installed.
Installing it says it won't start inside a container.

And all this in spite of the container having apparmor off, and being able to
happily write to it there.

I haven't been able to set that parameter in the container yet today :-(

/var/log/upstart/procps.log in the container also shows
  sysctl: permission denied on key 'kernel.sem'
(since I put that setting into /etc/sysctl.conf)

And apparmor_status inside lxc fails with permission denied on
/sys/kernel/security/apparmor/profiles
(which doesn't seem too surprising, but what do I know...)



On Tue, Apr 29, 2014 at 1:25 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Dan Kegel (dank at kegel.com):
>> OK, it's not as benign as I thought; I can't even do the setting in the host
>> without disabling apparmor.  So I guess I should file a bug against
>
> Hm?  I don't have that problem...  what is in /proc/self/attr/current?
> Does /var/log/audit/audit.log or /var/log/syslog show an apparmor
> denial for it?  what does strace show?
>
>> ubuntu 14.04 apparmor.  Thanks!
>> - Dan
>>
>> On Tue, Apr 29, 2014 at 12:17 PM, Dan Kegel <dank at kegel.com> wrote:
>> > Think I should file a bug?  (And against what?)
>> > - Dan
>> >
>> > On Tue, Apr 29, 2014 at 12:15 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>> >> Quoting Dan Kegel (dank at kegel.com):
>> >>> My scripts were (unwisely) expecting to be able to do things like
>> >>>         echo "kernel.sem = 250 65536 32 32768" | sudo tee -a /etc/sysctl.conf
>> >>>         sudo /sbin/sysctl -p
>> >>> inside the container.  Tsk.  I seem to have gotten away with it in
>> >>> Ubuntu 12.04, but Ubuntu 14.04 complains
>> >>>    + sudo /sbin/sysctl -p
>> >>>    sysctl: permission denied on key 'kernel.sem'
>> >>>
>> >>> That makes sense -- containers shouldn't be able to tweak kernel parameters.
>> >>> So now I'm rejiggering my scripts to do that outside the container.
>> >>>
>> >>> Onwards!
>> >>
>> >> Hm, actually i think that one should be fine.  The apparmor profile
>> >> excempts /proc/sys/kernel/shm*, and it looks like /proc/sys/kernel/sem
>> >> should also be allowed as it looks to be correctly namespaced - i.e
>> >> the container won't affect the host's settings.
>> >>
>> >> -serge
>> >> _______________________________________________
>> >> lxc-users mailing list
>> >> lxc-users at lists.linuxcontainers.org
>> >> http://lists.linuxcontainers.org/listinfo/lxc-users
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list