[lxc-users] sysctl -p no longer allowed in container

Serge Hallyn serge.hallyn at ubuntu.com
Tue Apr 29 21:20:14 UTC 2014

Quoting Dan Kegel (dank at kegel.com):
> This may be a jinxed machine.  I installed it from trusty beta 2.  I
> should probably try again with the released version.
> Inside the container:
> /proc/self/attr/current says lxc-container-default (enforce)
> There's no line in syslog, and I don't have an audit/audit.log.
> strace shows
> open("/proc/sys/kernel/sem", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCESS

Those make sense,

> apt-cache policy apparmor says it's not installed.
> Installing it says it won't start inside a container.
> And all this in spite of the container having apparmor off, and being able to

Are you sure?  In what way did you turn it off?  Because it is
definately on.

> happily write to it there.
> I haven't been able to set that parameter in the container yet today :-(
> /var/log/upstart/procps.log in the container also shows
>   sysctl: permission denied on key 'kernel.sem'
> (since I put that setting into /etc/sysctl.conf)
> And apparmor_status inside lxc fails with permission denied on
> /sys/kernel/security/apparmor/profiles
> (which doesn't seem too surprising, but what do I know...)

Right, but in the last email you said that you also could not
set the sysctl from the host, not inside a container.  That's
the one that worries me.  Can you show the same things for a
root shell on the host?

More information about the lxc-users mailing list