[lxc-users] Capabilities (mlock) in unprivileged containers
Fajar A. Nugraha
list at fajar.net
Tue Sep 13 07:29:17 UTC 2016
On Tue, Sep 13, 2016 at 3:38 AM, Gregory Lutostanski <
gregory.lutostanski at canonical.com> wrote:
> Hey all.
>
> Curious if anyone has experience with getting capabilities working in
> unprivileged containers. In particular I am trying to get mlock working...
>
>
It should work. With a catch.
> Everything works as expected running in an unprivileged container. For the
> lxc.cap.drop is the default (mac_admin mac_override sys_time sys_module
> sys_rawio) I believe. So I would think that it would work as is... But it
> doesn't. I know nothing about capabilities other than "man capabilities". I
> would like it to work for running Vault in an unprivileged lxc (
> https://www.vaultproject.io/docs/config/index.html#disable_mlock) or is
> that just crazy?
>
> Is there some set of apparmor/privileges I can grant to the container
> other than going fully privileged that would cover this?
>
> If anyone is curious I am running this test to see if it works as
> expected...
> https://github.com/linux-test-project/ltp/releases/tag/20160510
> (ltp-full-20160510/testcases/kernel/syscalls/mlock/mlock01.c)
>
> Any input (even generic points in the right direction would be helpful).
>
>
Run "ulimit -l" from the container's shell, and then see
https://github.com/lxc/lxd/issues/745 (in particular,
https://github.com/lxc/lxd/issues/745#issuecomment-114077972)
https://www.freedesktop.org/software/systemd/man/systemd.exec.html (look
for LimitMEMLOCK)
Adjust as needed, restart lxd. Should work.
I've tested mlock 32k memory in unpriv container, which works. Haven't
personally tried adjusting the limit though.
--
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160913/4cc9e5ea/attachment.html>
More information about the lxc-users
mailing list