[lxc-users] Enabling sys_nice in a privileged container
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Sep 7 14:56:02 UTC 2015
Quoting Peter Steele (pwsteele at gmail.com):
> I have a privileged container that runs ctdb and needs to have real
> time scheduling enabled. The error reported by ctdb is:
>
> Sep 05 10:27:05 pws-01-vm-05 systemd[1]: Starting CTDB...
> Sep 05 10:27:06 pws-01-vm-05 ctdbd[1598]: CTDB starting on node
> Sep 05 10:27:06 pws-01-vm-05 ctdbd[1599]: Starting CTDBD (Version
> 2.5.4) as PID: 1599
> Sep 05 10:27:06 pws-01-vm-05 ctdbd[1599]: Created PID file
> /run/ctdb/ctdbd.pid
> Sep 05 10:27:06 pws-01-vm-05 ctdbd[1599]: Unable to set scheduler to
> SCHED_FIFO (Operation not permitted)
> Sep 05 10:27:06 pws-01-vm-05 ctdbd[1599]: CTDB daemon shutting down
>
> Apparently. my container is dropping the sys_nice capability which
> is needed for real time scheduling. I thought I could just add the
> line
>
> lxc.cap.keep = sys_nice
>
> but this has the side effect of dropping all capabilities except
> this one so that just made things worse. What is the correct way to
> enable a specific capability for a container?
You shouldn't need to do anything other than make sure that
sys_nice isn't in any lxc.cap.drop line.
You can use 'capsh --print' to verify that you have the cap.
> I'm running CentOS 7 and am using a custom template. By config is
> pretty basic with just the following parameters defined:
>
> lxc.tty = 4
> lxc.pts = 1024
> lxc.utsname = test
> lxc.network.type = veth
> lxc.network.flags = up
> lxc.network.link = br0
> lxc.network.veth.pair = veth-test
> lxc.network.hwaddr = 00:16:3e:16:ef:32
> lxc.rootfs = /lxc/test
Is this the config you passed to lxc-create, or the full final
configuration?
More information about the lxc-users
mailing list