[lxc-users] sysctl -p no longer allowed in container

Dan Kegel dank at kegel.com
Fri Jun 6 15:15:04 UTC 2014


I guess this is in your daily ppa builds, but hasn't been released yet,
as I just updated my system from beta trusty to release,
and this bit me again.  Will the fix be in ubuntu 14.04.1?

On Tue, Apr 29, 2014 at 2:41 PM, Dan Kegel <dank at kegel.com> wrote:
> The patch you sent seems to let the container set kernel.sem,
> and my build is back to green, thanks.
>
> You should probably ignore the problem in the outer system for now -
> If I run into it again on a clean machine I'll post again.
> - Dan
>
>
> On Tue, Apr 29, 2014 at 2:20 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>> Quoting Dan Kegel (dank at kegel.com):
>>> This may be a jinxed machine.  I installed it from trusty beta 2.  I
>>> should probably try again with the released version.
>>>
>>> Inside the container:
>>>
>>> /proc/self/attr/current says lxc-container-default (enforce)
>>> There's no line in syslog, and I don't have an audit/audit.log.
>>> strace shows
>>> open("/proc/sys/kernel/sem", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCESS
>>
>> Those make sense,
>>
>>> apt-cache policy apparmor says it's not installed.
>>> Installing it says it won't start inside a container.
>>>
>>> And all this in spite of the container having apparmor off, and being able to
>>
>> Are you sure?  In what way did you turn it off?  Because it is
>> definately on.
>>
>>> happily write to it there.
>>>
>>> I haven't been able to set that parameter in the container yet today :-(
>>>
>>> /var/log/upstart/procps.log in the container also shows
>>>   sysctl: permission denied on key 'kernel.sem'
>>> (since I put that setting into /etc/sysctl.conf)
>>>
>>> And apparmor_status inside lxc fails with permission denied on
>>> /sys/kernel/security/apparmor/profiles
>>> (which doesn't seem too surprising, but what do I know...)
>>
>> Right, but in the last email you said that you also could not
>> set the sysctl from the host, not inside a container.  That's
>> the one that worries me.  Can you show the same things for a
>> root shell on the host?
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list