[lxc-users] sysctl -p no longer allowed in container
serge.hallyn at ubuntu.com
Tue Apr 29 21:20:14 UTC 2014
Quoting Dan Kegel (dank at kegel.com):
> This may be a jinxed machine. I installed it from trusty beta 2. I
> should probably try again with the released version.
> Inside the container:
> /proc/self/attr/current says lxc-container-default (enforce)
> There's no line in syslog, and I don't have an audit/audit.log.
> strace shows
> open("/proc/sys/kernel/sem", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCESS
Those make sense,
> apt-cache policy apparmor says it's not installed.
> Installing it says it won't start inside a container.
> And all this in spite of the container having apparmor off, and being able to
Are you sure? In what way did you turn it off? Because it is
> happily write to it there.
> I haven't been able to set that parameter in the container yet today :-(
> /var/log/upstart/procps.log in the container also shows
> sysctl: permission denied on key 'kernel.sem'
> (since I put that setting into /etc/sysctl.conf)
> And apparmor_status inside lxc fails with permission denied on
> (which doesn't seem too surprising, but what do I know...)
Right, but in the last email you said that you also could not
set the sysctl from the host, not inside a container. That's
the one that worries me. Can you show the same things for a
root shell on the host?
More information about the lxc-users