[lxc-users] Setting kernel.shmmax in unprivileged containers.

Serge Hallyn serge.hallyn at ubuntu.com
Mon Aug 11 23:25:45 UTC 2014


Sorry, yeah, I can reproduce it.

I'm not clear on this is new, or whether this has always been the case.

Quoting Ranjib Dey (dey.ranjib at gmail.com):
> Serge, I am able to reproduce with stock ubuntu 14.04 instances in aws,
> using the download template (lxc-create -n foo -t download -- -d ubuntu -a
> amd64 -r trusty). As you have mentioned, /proc is owned by nobody:nogroup,
> I tried  starting the container with unconfined aa profile without any
> success.
> 
> Kernel version:  3.13.0-3
> LXC:  1.0.5
> 
> 
> 
> 
> On Mon, Aug 11, 2014 at 8:53 AM, Serge Hallyn <serge.hallyn at ubuntu.com>
> wrote:
> 
> > I currently have no problem either on trusty or utopic.
> >
> > My kernels are 3.16.0-6-generic and 3.13.0-24-generic .  This doesn't
> > match either of your kernels.
> >
> > Please show the container configuration file, as well as the
> > contents of the apparmor policy the container is using and
> > /etc/apparmor.d/abstractions/lxc/container-base
> >
> > Quoting Tiit Kaeeli (kaeeli at quretec.com):
> > > So something must be wrong in my configuration.
> > >
> > > I have changed /usr/share/lxc/config/ubuntu.common.conf:
> > >
> > > # lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> > > lxc.mount.auto = proc:rw
> > >
> > > And have not found anything else regarding mounting of /proc
> > > But this does not help.
> > >
> > > (server is running Ubuntu Trusty)
> > >
> > >
> > >
> > > On Thu, 31 Jul 2014, Robert Pendell wrote:
> > >
> > > >I just tested on my vps with Linode and I was still running on 3.14
> > > >(they have 3.15 now) so I checked then rebooted and checked again.
> > > >After reboot I was up to 3.15 as provided by the host.  In both cases
> > > >/proc as well as all of the contents was owned by root.
> > > >
> > > >shinji at icarus:~$ uname -a
> > > >Linux icarus.robertpendell.com 3.14.4-x86_64-linode40 #1 SMP Tue May
> > > >13 12:25:05 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux
> > > >shinji at icarus:~$ ls -ld /proc
> > > >dr-xr-xr-x 124 root root 0 May 23 19:26 /proc
> > > >
> > > >shinji at icarus:~$ uname -a
> > > >Linux icarus.robertpendell.com 3.15.4-x86_64-linode45 #1 SMP Mon Jul 7
> > > >08:42:36 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux
> > > >shinji at icarus:~$ ls -ld /proc
> > > >dr-xr-xr-x 98 root root 0 Jul 31 18:09 /proc
> > > >Robert Pendell
> > > >shinji at elite-systems.org
> > > >A perfect world is one of chaos.
> > > >
> > > >
> > > >On Thu, Jul 31, 2014 at 10:59 AM, Serge Hallyn <serge.hallyn at ubuntu.com>
> > wrote:
> > > >>Quoting Tiit Kaeeli (kaeeli at quretec.com):
> > > >>>On Mon, 28 Jul 2014, Tiit Kaeeli wrote:
> > > >>>
> > > >>>>Hi,
> > > >>>>
> > > >>>>I am having a little issue setting kernel.shmmax in LXC
> > > >>>>unprivileged container (lxc=1.0.4-0ubuntu0.1)
> > > >>>>
> > > >>>>In https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1021411
> > > >>>>it is stated, that it should be possible since lxc 0.7.5-3ubuntu60
> > > >>>>At least there is no information, that it will only apply to
> > > >>>>privileged containers.
> > > >>>>
> > > >>>>I have also tried disabling apparmor and adding
> > > >>>>lxc.mount.auto = proc:rw sys:rw
> > > >>>>to container conf.
> > > >>>>
> > > >>>>But still
> > > >>>>sysctl: permission denied on key 'kernel.shmmax'
> > > >>>>At the same time setting for example
> > > >>>>net.ipv6.conf.all.disable_ipv6 succeeds!
> > > >>>>
> > > >>>>mount -o remount,rw -t proc /proc /proc
> > > >>>>mount: permission denied
> > > >>>>
> > > >>>>/proc/ is owned by nobody.nogroup
> > > >>>>
> > > >>>>What am I missing?
> > > >>>
> > > >>>
> > > >>>Any ideas? can this be done at all on unprivileged containers?
> > > >>
> > > >>Hi,
> > > >>
> > > >>which kernel are yo uon?
> > > >>
> > > >>I've just noticed that on my utopic (3.16 kernel) laptop I have the
> > > >>same problem.  All of /proc is owned by nobody:nogroup.  On my 3.13
> > > >>kernel /proc is owned by root, including /proc/sys/kernel/shmmax.
> > > >>
> > > >>So this looks like a new kernel bug.
> > > >>
> > > >>-serge
> > > >>_______________________________________________
> > > >>lxc-users mailing list
> > > >>lxc-users at lists.linuxcontainers.org
> > > >>http://lists.linuxcontainers.org/listinfo/lxc-users
> > > >_______________________________________________
> > > >lxc-users mailing list
> > > >lxc-users at lists.linuxcontainers.org
> > > >http://lists.linuxcontainers.org/listinfo/lxc-users
> > >
> > > --
> > >
> > > Tiit Kaeeli
> > > OU Quretec
> > > tiit.kaeeli at quretec.com
> > > Tel:+372 5 070 359
> > > _______________________________________________
> > > lxc-users mailing list
> > > lxc-users at lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-users
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> >

> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users



More information about the lxc-users mailing list