Proc/sys change in unprivilege container

norrarvid · 2017-11-08 15:25:09 UTC

I am trying to change the value of /proc/sys/fs/mqueue/msgsize_max for an unprivileged LXC container (not LXD) running on Ubuntu 17.10 without any success.
Changing lxc.mount.auto proc:mixed to proc:rw and changing the value inside the container echo 5000 > /proc/sys/fs/mqueue/msgsize_max ; gives Permission denied
I have also tried to mount the content of the proc value from the host:
lxc.mount.entry = /proc/sys/fs/mqueue/msgsize_max proc/sys/fs/mqueue/msgsize_max none bind,optional,create=file
or
lxc.mount.entry = /proc/sys/fs/mqueue proc/sys/fs/mqueue none bind,optional,create=dir

Is it possible to change this kind of proc value in some way for an unprivileged container?
/Arvid

stgraber · 2017-11-08 19:03:53 UTC

The kernel is what's rejecting that change. It looks like this value is indeed namespaced, probably as part of the IPC namespace, but wasn't marked as being safe for an unprivileged user to modify.

I suspect that if you can attach to the container's ipc and mount namespace without attaching to the user namespace, then you may be able to modify that limit. I however don't believe that there is any good tool that lets you do that.

@brauner can this be done with lxc-attach by running it as root with a specific set of namespaces? We'd effectively want to attach to the container as real root so we can modify that proc file.

brauner · 2017-11-08 19:12:52 UTC

The kernel doesn't let you attach to a mount namespace without also attaching to the owning user namespace.

brauner · 2017-11-08 19:22:44 UTC

Reading Stéphane's answer you could use:

sudo nsenter --mount=/proc/<container-init-id/ns/mnt --ipc=/proc/<container-init-pid>/ns/pid

stgraber · 2017-11-08 19:22:48 UTC

sudo nsenter -i -m -t 14628 bash

Where 14628 is a PID inside the container. From that shell you can then modify the mqueue limit.