[lxc-users] Overcommit and kernel isolation
Dwight Engen
dwight.engen at oracle.com
Mon Oct 13 14:40:50 UTC 2014
On Thu, 9 Oct 2014 16:05:19 +0000
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Bertrand Paquet (bertrand.paquet at gmail.com):
> > Hi all,
> >
> > I have noticed that changing the overcommit
> > (/proc/sys/vm/overcommit_memory) mode inside a container change the
> > overcommit mode of the host. Is it normal ?
>
> Yes, sadly those are not namespaced. The apparmor (and hopefully
> selinux, I'm not sure bc I'm not sure what the selinux type on that
> file is) profiles don't allow writing to those.
Yep, the selinux policy doesn't allow lxc_t to write to sysctl_vm_t
either.
> > For /proc/sys/kernel/shmmax, the value seems to be local to the
> > container.
> >
> > Regards,
> >
> > Bertrand
> >
> > PS : my LXC version : 1.0.1
>
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list