Lock lxd container memory


I am trying to mmap a DMA memory region into the userspace of an application running in an LXD container.

My mmap request is failing with the error EAGAIN.

In docker, the mmap is successful whenever the container is launched with the capability IPC_LOCK.

Is there a similar container config option in LXD?

I suspect you’d need a privileged container for that.
LXD containers have all capabilities enabled out of the box, but those are restricted by the kernel to what’s owned by the user namespace inside of unprivileged containers.

Docker containers are effectively always privileged in that regard, they just have some capabilities or other permissions stripped away.

Yes, with privileged container the mmap works, thanks.

Can you please suggest if there is any other way to make it work in an unprivileged container?

I don’t believe there is. This may be something that could be eventually done through system call interception but that may get unpleasant very quickly as syscall interception isn’t particularly fast so getting that in the memory access path would be problematic.