[lxc-users] not allowed to change kernel parameters inside container

Mon May 27 13:08:23 UTC 2019

I thought I did start the containers as privileged:

lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.mount.auto=
lxc.mount.auto=proc:rw sys:rw cgroup:rw
lxc.apparmor.profile=unconfined
lxc.tty.max = 10
lxc.pty.max = 1024
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 254:0 rwm
lxc.cgroup.devices.allow = c 10:137 rwm # loop-control
lxc.cgroup.devices.allow = b 7:* rwm    # loop*
lxc.cgroup.devices.allow = c 10:229 rwm #fuse
lxc.cgroup.devices.allow = c 10:200 rwm #docker
lxc.cgroup.devices.allow= a
lxc.cap.drop=
lxc.cgroup.devices.deny=
lxc.autodev= 1
lxc.hook.autodev = sh -c 'mknod ${LXC_ROOTFS_MOUNT}/dev/fuse c 10 229'

On Mon, May 27, 2019 at 9:03 AM Jäkel, Guido <G.Jaekel at dnb.de> wrote:

> Because
>
> * your Container is not started as a privileged one?
> * you let bind-mount /sys readonly?
>
> Guido
>
> >-----Original Message-----
> >From: lxc-users [mailto:lxc-users-bounces at lists.linuxcontainers.org] On
> Behalf Of Saint Michael
> >Sent: Monday, May 27, 2019 1:49 PM
> >To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
> >Subject: Re: [lxc-users] not allowed to change kernel parameters inside
> container
> >
> >The issue that kills me is why I can change some kernel parameters, but
> not for example
> >[...]
> >
> >Any idea?
> >
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20190527/c82cc78c/attachment.html>