[lxc-users] sysctl -p no longer allowed in container

Stéphane Graber stgraber at ubuntu.com
Mon Jun 9 22:56:20 UTC 2014


On Mon, Jun 09, 2014 at 10:53:01PM +0000, Serge Hallyn wrote:
> Hi Stéphane, 
> 
> will commit 773bd28258371ad0058ff946c5cf94419920ffdd be in 1.0.4?

Yes, it's currently in stable-1.0 and so will be included in 1.0.4.

> 
> -serge
> 
> Quoting Dan Kegel (dank at kegel.com):
> > I guess this is in your daily ppa builds, but hasn't been released yet,
> > as I just updated my system from beta trusty to release,
> > and this bit me again.  Will the fix be in ubuntu 14.04.1?
> > 
> > On Tue, Apr 29, 2014 at 2:41 PM, Dan Kegel <dank at kegel.com> wrote:
> > > The patch you sent seems to let the container set kernel.sem,
> > > and my build is back to green, thanks.
> > >
> > > You should probably ignore the problem in the outer system for now -
> > > If I run into it again on a clean machine I'll post again.
> > > - Dan
> > >
> > >
> > > On Tue, Apr 29, 2014 at 2:20 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > >> Quoting Dan Kegel (dank at kegel.com):
> > >>> This may be a jinxed machine.  I installed it from trusty beta 2.  I
> > >>> should probably try again with the released version.
> > >>>
> > >>> Inside the container:
> > >>>
> > >>> /proc/self/attr/current says lxc-container-default (enforce)
> > >>> There's no line in syslog, and I don't have an audit/audit.log.
> > >>> strace shows
> > >>> open("/proc/sys/kernel/sem", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCESS
> > >>
> > >> Those make sense,
> > >>
> > >>> apt-cache policy apparmor says it's not installed.
> > >>> Installing it says it won't start inside a container.
> > >>>
> > >>> And all this in spite of the container having apparmor off, and being able to
> > >>
> > >> Are you sure?  In what way did you turn it off?  Because it is
> > >> definately on.
> > >>
> > >>> happily write to it there.
> > >>>
> > >>> I haven't been able to set that parameter in the container yet today :-(
> > >>>
> > >>> /var/log/upstart/procps.log in the container also shows
> > >>>   sysctl: permission denied on key 'kernel.sem'
> > >>> (since I put that setting into /etc/sysctl.conf)
> > >>>
> > >>> And apparmor_status inside lxc fails with permission denied on
> > >>> /sys/kernel/security/apparmor/profiles
> > >>> (which doesn't seem too surprising, but what do I know...)
> > >>
> > >> Right, but in the last email you said that you also could not
> > >> set the sysctl from the host, not inside a container.  That's
> > >> the one that worries me.  Can you show the same things for a
> > >> root shell on the host?
> > >> _______________________________________________
> > >> lxc-users mailing list
> > >> lxc-users at lists.linuxcontainers.org
> > >> http://lists.linuxcontainers.org/listinfo/lxc-users
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140609/6d32eba0/attachment.sig>


More information about the lxc-users mailing list