[lxc-users] Setting kernel.shmmax in unprivileged containers.

Tue Aug 12 03:36:40 UTC 2014

I guess the behavior is what we expect of the default.  The sysctl code
simply hasn't been converted yet.  Sadly it won't be the simplest
conversion we've done, as we currently don't store the uid to assign
sysctl files to.  We might simply tag struct ctl_table entries with a
USERNS_SAFE flag and, if that is present, then let the file be owned
by pid_ns->user_ns.  (The super_block's sb->s-fs_info is the
pid_namespace)

Patches would be welcome, but I don't think this is the most urgent
kernel work waiting

-serge

Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
> Sorry, yeah, I can reproduce it.
> 
> I'm not clear on this is new, or whether this has always been the case.
> 
> Quoting Ranjib Dey (dey.ranjib at gmail.com):
> > Serge, I am able to reproduce with stock ubuntu 14.04 instances in aws,
> > using the download template (lxc-create -n foo -t download -- -d ubuntu -a
> > amd64 -r trusty). As you have mentioned, /proc is owned by nobody:nogroup,
> > I tried  starting the container with unconfined aa profile without any
> > success.
> > 
> > Kernel version:  3.13.0-3
> > LXC:  1.0.5
> > 
> > 
> > 
> > 
> > On Mon, Aug 11, 2014 at 8:53 AM, Serge Hallyn <serge.hallyn at ubuntu.com>
> > wrote:
> > 
> > > I currently have no problem either on trusty or utopic.
> > >
> > > My kernels are 3.16.0-6-generic and 3.13.0-24-generic .  This doesn't
> > > match either of your kernels.
> > >
> > > Please show the container configuration file, as well as the
> > > contents of the apparmor policy the container is using and
> > > /etc/apparmor.d/abstractions/lxc/container-base
> > >
> > > Quoting Tiit Kaeeli (kaeeli at quretec.com):
> > > > So something must be wrong in my configuration.
> > > >
> > > > I have changed /usr/share/lxc/config/ubuntu.common.conf:
> > > >
> > > > # lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> > > > lxc.mount.auto = proc:rw
> > > >
> > > > And have not found anything else regarding mounting of /proc
> > > > But this does not help.
> > > >
> > > > (server is running Ubuntu Trusty)
> > > >
> > > >
> > > >
> > > > On Thu, 31 Jul 2014, Robert Pendell wrote:
> > > >
> > > > >I just tested on my vps with Linode and I was still running on 3.14
> > > > >(they have 3.15 now) so I checked then rebooted and checked again.
> > > > >After reboot I was up to 3.15 as provided by the host.  In both cases
> > > > >/proc as well as all of the contents was owned by root.
> > > > >
> > > > >shinji at icarus:~$ uname -a
> > > > >Linux icarus.robertpendell.com 3.14.4-x86_64-linode40 #1 SMP Tue May
> > > > >13 12:25:05 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux
> > > > >shinji at icarus:~$ ls -ld /proc
> > > > >dr-xr-xr-x 124 root root 0 May 23 19:26 /proc
> > > > >
> > > > >shinji at icarus:~$ uname -a
> > > > >Linux icarus.robertpendell.com 3.15.4-x86_64-linode45 #1 SMP Mon Jul 7
> > > > >08:42:36 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux
> > > > >shinji at icarus:~$ ls -ld /proc
> > > > >dr-xr-xr-x 98 root root 0 Jul 31 18:09 /proc
> > > > >Robert Pendell
> > > > >shinji at elite-systems.org
> > > > >A perfect world is one of chaos.
> > > > >
> > > > >
> > > > >On Thu, Jul 31, 2014 at 10:59 AM, Serge Hallyn <serge.hallyn at ubuntu.com>
> > > wrote:
> > > > >>Quoting Tiit Kaeeli (kaeeli at quretec.com):
> > > > >>>On Mon, 28 Jul 2014, Tiit Kaeeli wrote:
> > > > >>>
> > > > >>>>Hi,
> > > > >>>>
> > > > >>>>I am having a little issue setting kernel.shmmax in LXC
> > > > >>>>unprivileged container (lxc=1.0.4-0ubuntu0.1)
> > > > >>>>
> > > > >>>>In https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1021411
> > > > >>>>it is stated, that it should be possible since lxc 0.7.5-3ubuntu60
> > > > >>>>At least there is no information, that it will only apply to
> > > > >>>>privileged containers.
> > > > >>>>
> > > > >>>>I have also tried disabling apparmor and adding
> > > > >>>>lxc.mount.auto = proc:rw sys:rw
> > > > >>>>to container conf.
> > > > >>>>
> > > > >>>>But still
> > > > >>>>sysctl: permission denied on key 'kernel.shmmax'
> > > > >>>>At the same time setting for example
> > > > >>>>net.ipv6.conf.all.disable_ipv6 succeeds!
> > > > >>>>
> > > > >>>>mount -o remount,rw -t proc /proc /proc
> > > > >>>>mount: permission denied
> > > > >>>>
> > > > >>>>/proc/ is owned by nobody.nogroup
> > > > >>>>
> > > > >>>>What am I missing?
> > > > >>>
> > > > >>>
> > > > >>>Any ideas? can this be done at all on unprivileged containers?
> > > > >>
> > > > >>Hi,
> > > > >>
> > > > >>which kernel are yo uon?
> > > > >>
> > > > >>I've just noticed that on my utopic (3.16 kernel) laptop I have the
> > > > >>same problem.  All of /proc is owned by nobody:nogroup.  On my 3.13
> > > > >>kernel /proc is owned by root, including /proc/sys/kernel/shmmax.
> > > > >>
> > > > >>So this looks like a new kernel bug.
> > > > >>
> > > > >>-serge
> > > > >>_______________________________________________
> > > > >>lxc-users mailing list
> > > > >>lxc-users at lists.linuxcontainers.org
> > > > >>http://lists.linuxcontainers.org/listinfo/lxc-users
> > > > >_______________________________________________
> > > > >lxc-users mailing list
> > > > >lxc-users at lists.linuxcontainers.org
> > > > >http://lists.linuxcontainers.org/listinfo/lxc-users
> > > >
> > > > --
> > > >
> > > > Tiit Kaeeli
> > > > OU Quretec
> > > > tiit.kaeeli at quretec.com
> > > > Tel:+372 5 070 359
> > > > _______________________________________________
> > > > lxc-users mailing list
> > > > lxc-users at lists.linuxcontainers.org
> > > > http://lists.linuxcontainers.org/listinfo/lxc-users
> > > _______________________________________________
> > > lxc-users mailing list
> > > lxc-users at lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-users
> > >
> 
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users