[lxc-users] Enabling sys_nice in a privileged container
Peter Steele
pwsteele at gmail.com
Sun Sep 6 21:07:27 UTC 2015
On 09/05/2015 10:35 AM, Peter Steele wrote:
> I have a privileged container that runs ctdb and needs to have real
> time scheduling enabled. The error reported by ctdb is:
>
> Sep 05 10:27:05 pws-01-vm-05 systemd[1]: Starting CTDB...
> Sep 05 10:27:06 pws-01-vm-05 ctdbd[1598]: CTDB starting on node
> Sep 05 10:27:06 pws-01-vm-05 ctdbd[1599]: Starting CTDBD (Version
> 2.5.4) as PID: 1599
> Sep 05 10:27:06 pws-01-vm-05 ctdbd[1599]: Created PID file
> /run/ctdb/ctdbd.pid
> Sep 05 10:27:06 pws-01-vm-05 ctdbd[1599]: Unable to set scheduler to
> SCHED_FIFO (Operation not permitted)
> Sep 05 10:27:06 pws-01-vm-05 ctdbd[1599]: CTDB daemon shutting down
>
> Apparently. my container is dropping the sys_nice capability which is
> needed for real time scheduling. I thought I could just add the line
>
> lxc.cap.keep = sys_nice
>
> but this has the side effect of dropping all capabilities except this
> one so that just made things worse. What is the correct way to enable
> a specific capability for a container?
>
> I'm running CentOS 7 and am using a custom template. By config is
> pretty basic with just the following parameters defined:
>
> lxc.tty = 4
> lxc.pts = 1024
> lxc.utsname = test
> lxc.network.type = veth
> lxc.network.flags = up
> lxc.network.link = br0
> lxc.network.veth.pair = veth-test
> lxc.network.hwaddr = 00:16:3e:16:ef:32
> lxc.rootfs = /lxc/test
>
> Peter
>
For what it's worth, I hit this very same problem when we were using
libvirt-lxc containers. In that case though the containers did have
sys_nice enabled but were still unable to schedule real time jobs
because by default libvirt doesn't give any real time bandwidth to
containers. This is defined by the cgroup parameter
/sys/fs/cgroup/cpu/cpu.rt_runtime_us
This is zero by default for libvirt containers, and setting this solved
the CTDB issue. LXC containers *do* set this parameter though, so the
error in this case is because sys_nice has been dropped for the
containers. Or at least that's my assumption. The underlying call being
made is pthread_create, and our own real-time threads are failing as
well with the same "operation not permitted" error. So the containers
are clearly lacking the required permissions.
More information about the lxc-users
mailing list