[lxc-users] not allowed to change kernel parameters inside container

Saint Michael venefax at gmail.com
Tue May 28 05:35:28 UTC 2019


This
"host and container can't have services run on the same port (e.g. if you
want sshd on both host and container, you need to change the listening port
for one of them)"
is untrue.
each container in my case has a different IP address, the host has another
one, and I run SSHD inside each container just fine.

On Mon, May 27, 2019 at 10:00 PM Fajar A. Nugraha <list at fajar.net> wrote:

> On Mon, May 27, 2019 at 8:11 PM Saint Michael <venefax at gmail.com> wrote:
>
>> I thought I did start the containers as privileged:
>>
>> lxc.include = /usr/share/lxc/config/ubuntu.common.conf
>> lxc.mount.auto=
>> lxc.mount.auto=proc:rw sys:rw cgroup:rw
>> lxc.apparmor.profile=unconfined
>> lxc.tty.max = 10
>> lxc.pty.max = 1024
>> lxc.cgroup.devices.allow = c 1:3 rwm
>> lxc.cgroup.devices.allow = c 1:5 rwm
>> lxc.cgroup.devices.allow = c 5:1 rwm
>> lxc.cgroup.devices.allow = c 5:0 rwm
>> lxc.cgroup.devices.allow = c 4:0 rwm
>> lxc.cgroup.devices.allow = c 4:1 rwm
>> lxc.cgroup.devices.allow = c 1:9 rwm
>> lxc.cgroup.devices.allow = c 1:8 rwm
>> lxc.cgroup.devices.allow = c 136:* rwm
>> lxc.cgroup.devices.allow = c 5:2 rwm
>> lxc.cgroup.devices.allow = c 254:0 rwm
>> lxc.cgroup.devices.allow = c 10:137 rwm # loop-control
>> lxc.cgroup.devices.allow = b 7:* rwm    # loop*
>> lxc.cgroup.devices.allow = c 10:229 rwm #fuse
>> lxc.cgroup.devices.allow = c 10:200 rwm #docker
>> lxc.cgroup.devices.allow= a
>> lxc.cap.drop=
>> lxc.cgroup.devices.deny=
>> lxc.autodev= 1
>> lxc.hook.autodev = sh -c 'mknod ${LXC_ROOTFS_MOUNT}/dev/fuse c 10 229'
>>
>
>
> Following Stephane's suggestion works on my test vm. You didn't do so,
> thus it didn't work.
>
> ###
> # Distribution configuration
> lxc.include = /usr/share/lxc/config/common.conf
> lxc.arch = x86_64
>
> # Container specific configuration
> lxc.rootfs.path = dir:/var/lib/lxc/c7-ul/rootfs
> lxc.uts.name = c7-ul
>
> lxc.net.0.type = none
> lxc.mount.auto=
> lxc.mount.auto=proc:rw sys:rw cgroup:rw
> lxc.apparmor.profile=unconfined
> ###
>
> ###
> c7-ul / # sysctl --system
> * Applying /usr/lib/sysctl.d/00-system.conf ...
> * Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...
> kernel.yama.ptrace_scope = 0
> * Applying /usr/lib/sysctl.d/50-default.conf ...
> kernel.sysrq = 16
> kernel.core_uses_pid = 1
> net.ipv4.conf.default.rp_filter = 1
> net.ipv4.conf.all.rp_filter = 1
> net.ipv4.conf.default.accept_source_route = 0
> net.ipv4.conf.all.accept_source_route = 0
> net.ipv4.conf.default.promote_secondaries = 1
> net.ipv4.conf.all.promote_secondaries = 1
> fs.protected_hardlinks = 1
> fs.protected_symlinks = 1
> * Applying /etc/sysctl.d/99-sysctl.conf ...
> * Applying /etc/sysctl.d/net.conf ...
> net.core.rmem_max = 67108864
> net.core.wmem_max = 33554432
> net.core.rmem_default = 31457280
> net.core.wmem_default = 31457280
> * Applying /etc/sysctl.conf ...
>
> c7-ul / # cat /proc/sys/net/core/rmem_max
> 67108864
> ###
>
>
> Of course as warned earlier, host networking brings along some quirks. For
> instance:
> - host and container can't have services run on the same port (e.g. if you
> want sshd on both host and container, you need to change the listening port
> for one of them)
> - do not configure networking on the container (ONBOOT=no should be enough
> on your container's eth confi)
> - absolutely do not run "reboot", "init 6", or "poweroff" on the
> container. At the very least, it will cause hosts's eth0 to go down.
> "reboot -f" on the container should work nicely though.
>
> --
> Fajar
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20190528/96f7692a/attachment.html>


More information about the lxc-users mailing list