On 06/09/2012 06:38 AM, Fajar A. Nugraha wrote: > On Fri, Jun 8, 2012 at 8:47 PM, Stéphane Graber <stgra...@ubuntu.com> wrote: >> On 06/08/2012 04:27 AM, Fajar A. Nugraha wrote: >>> On Fri, Jun 8, 2012 at 2:58 PM, Daniel Lezcano <daniel.lezc...@free.fr> >>> wrote: >>>> On 06/07/2012 12:45 PM, Jan Den Ouden wrote: >>>>> Hi, >>>>> >>>>> About a week ago I posted exactly the same question on this list, but I >>>>> didn't get any responses. I have googled high and low for the answer to >>>>> this, but no result. It's not related to capabilities, because you can >>>>> only >>>>> drop capabilities, not add them. It's not related to the cgroup memory >>>>> controller, because that seems to deal with total memory, not shared >>>>> memory. Therefore, I think it's a bug. >>>> >>>> I tried on a 3.0.0 kernel version and that works. Isn't possible this is >>>> related to app armor ? >>> >>> Yep, that should be it, as testing with apparmor disabled the >>> following works on guest container in my test system >>> >>> # cat /proc/sys/kernel/shmmax >>> 33554432 >>> # echo 335544320 > /proc/sys/kernel/shmmax >>> # cat /proc/sys/kernel/shmmax >>> 335544320 >>> >>> However the apparmor problem might not seem obvious because there's no >>> apparmor warning on syslog when you try to set shmmax with apparmor >>> enabled. Also: >>> (1) If you ONLY uncomment "lxc.aa_profile=unconfined" (with apparmor >>> still enabled), lxc-start failed with >>> lxc-start: No such file or directory - failed to change apparmor >>> profile to unconfined >>> (2) If you ONLY add /etc/apparmor.d/usr.bin.lxc-start symlink to >>> /etc/apparmor.d/disable, you'd still get permission denied error >>> (3) If you ONLY disable apparmor entirely (/etc/init.d/apparmor >>> teardown), lxc-start failed with >>> lxc-start: No such file or directory - failed to change apparmor >>> profile to lxc-container-default >>> (4) Combining (1) and (2), or (1) and (3), you can set shmmax from >>> inside the guest container >>> >>> so there's probably still a bug (or more) in ubuntu's apparmor-lxc combo. >> >> Please reboot your machine ;) the unconfined profile problem (giving you >> the No such file or directory) was a kernel bug and was fixed a couple >> of weeks ago, letting me think you're running an out of date kernel. > > Probably. Although there's no "please restart to complete update" > warning on my desktop. It's not really urgent for me though, so I'll > just reboot later when possible. > > Thanks for letting me know that this is a fixed issue. > >> >> As for shmmax, it's simply not whitelisted at the moment as it wasn't in >> the list of known-safe container aware proc entries, we probably should >> whitelist it (after doing some extra checking). > > BTW, I thought that all blockings done by selinux would show up on > syslog? Am I looking at the wrong place? > > If there were a warning on syslog, the OP would've probably been able > to solve their problem by themselves earlier.
The default profile in 12.04 contains explicit "deny" rules that will silent the output to dmesg. Only entries that we don't know about and haven't explicitly blocked will be rejected and logged in dmesg. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
