[lxc-users] sysctl -p no longer allowed in container

Dan Kegel dank at kegel.com
Tue Apr 29 21:41:31 UTC 2014

The patch you sent seems to let the container set kernel.sem,
and my build is back to green, thanks.

You should probably ignore the problem in the outer system for now -
If I run into it again on a clean machine I'll post again.
- Dan

On Tue, Apr 29, 2014 at 2:20 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Dan Kegel (dank at kegel.com):
>> This may be a jinxed machine.  I installed it from trusty beta 2.  I
>> should probably try again with the released version.
>> Inside the container:
>> /proc/self/attr/current says lxc-container-default (enforce)
>> There's no line in syslog, and I don't have an audit/audit.log.
>> strace shows
>> open("/proc/sys/kernel/sem", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCESS
> Those make sense,
>> apt-cache policy apparmor says it's not installed.
>> Installing it says it won't start inside a container.
>> And all this in spite of the container having apparmor off, and being able to
> Are you sure?  In what way did you turn it off?  Because it is
> definately on.
>> happily write to it there.
>> I haven't been able to set that parameter in the container yet today :-(
>> /var/log/upstart/procps.log in the container also shows
>>   sysctl: permission denied on key 'kernel.sem'
>> (since I put that setting into /etc/sysctl.conf)
>> And apparmor_status inside lxc fails with permission denied on
>> /sys/kernel/security/apparmor/profiles
>> (which doesn't seem too surprising, but what do I know...)
> Right, but in the last email you said that you also could not
> set the sysctl from the host, not inside a container.  That's
> the one that worries me.  Can you show the same things for a
> root shell on the host?
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list