[lxc-users] sysctl -p no longer allowed in container
Stéphane Graber
stgraber at ubuntu.com
Mon Jun 9 22:56:20 UTC 2014
On Mon, Jun 09, 2014 at 10:53:01PM +0000, Serge Hallyn wrote:
> Hi Stéphane,
>
> will commit 773bd28258371ad0058ff946c5cf94419920ffdd be in 1.0.4?
Yes, it's currently in stable-1.0 and so will be included in 1.0.4.
>
> -serge
>
> Quoting Dan Kegel (dank at kegel.com):
> > I guess this is in your daily ppa builds, but hasn't been released yet,
> > as I just updated my system from beta trusty to release,
> > and this bit me again. Will the fix be in ubuntu 14.04.1?
> >
> > On Tue, Apr 29, 2014 at 2:41 PM, Dan Kegel <dank at kegel.com> wrote:
> > > The patch you sent seems to let the container set kernel.sem,
> > > and my build is back to green, thanks.
> > >
> > > You should probably ignore the problem in the outer system for now -
> > > If I run into it again on a clean machine I'll post again.
> > > - Dan
> > >
> > >
> > > On Tue, Apr 29, 2014 at 2:20 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > >> Quoting Dan Kegel (dank at kegel.com):
> > >>> This may be a jinxed machine. I installed it from trusty beta 2. I
> > >>> should probably try again with the released version.
> > >>>
> > >>> Inside the container:
> > >>>
> > >>> /proc/self/attr/current says lxc-container-default (enforce)
> > >>> There's no line in syslog, and I don't have an audit/audit.log.
> > >>> strace shows
> > >>> open("/proc/sys/kernel/sem", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCESS
> > >>
> > >> Those make sense,
> > >>
> > >>> apt-cache policy apparmor says it's not installed.
> > >>> Installing it says it won't start inside a container.
> > >>>
> > >>> And all this in spite of the container having apparmor off, and being able to
> > >>
> > >> Are you sure? In what way did you turn it off? Because it is
> > >> definately on.
> > >>
> > >>> happily write to it there.
> > >>>
> > >>> I haven't been able to set that parameter in the container yet today :-(
> > >>>
> > >>> /var/log/upstart/procps.log in the container also shows
> > >>> sysctl: permission denied on key 'kernel.sem'
> > >>> (since I put that setting into /etc/sysctl.conf)
> > >>>
> > >>> And apparmor_status inside lxc fails with permission denied on
> > >>> /sys/kernel/security/apparmor/profiles
> > >>> (which doesn't seem too surprising, but what do I know...)
> > >>
> > >> Right, but in the last email you said that you also could not
> > >> set the sysctl from the host, not inside a container. That's
> > >> the one that worries me. Can you show the same things for a
> > >> root shell on the host?
> > >> _______________________________________________
> > >> lxc-users mailing list
> > >> lxc-users at lists.linuxcontainers.org
> > >> http://lists.linuxcontainers.org/listinfo/lxc-users
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140609/6d32eba0/attachment.sig>
More information about the lxc-users
mailing list