Proc/sys change in unprivilege container

norrarvid 2017-11-08 15:25:09 UTC #1

I am trying to change the value of /proc/sys/fs/mqueue/msgsize_max for an unprivileged LXC container (not LXD) running on Ubuntu 17.10 without any success.
Changing lxc.mount.auto proc:mixed to proc:rw and changing the value inside the container echo 5000 > /proc/sys/fs/mqueue/msgsize_max ; gives Permission denied
I have also tried to mount the content of the proc value from the host:
lxc.mount.entry = /proc/sys/fs/mqueue/msgsize_max proc/sys/fs/mqueue/msgsize_max none bind,optional,create=file
or
lxc.mount.entry = /proc/sys/fs/mqueue proc/sys/fs/mqueue none bind,optional,create=dir

Is it possible to change this kind of proc value in some way for an unprivileged container?
/Arvid

stgraber 2017-11-08 19:03:53 UTC #2

The kernel is what's rejecting that change. It looks like this value is indeed namespaced, probably as part of the IPC namespace, but wasn't marked as being safe for an unprivileged user to modify.

I suspect that if you can attach to the container's ipc and mount namespace without attaching to the user namespace, then you may be able to modify that limit. I however don't believe that there is any good tool that lets you do that.

@brauner can this be done with lxc-attach by running it as root with a specific set of namespaces? We'd effectively want to attach to the container as real root so we can modify that proc file.

brauner 2017-11-08 19:12:52 UTC #3

The kernel doesn't let you attach to a mount namespace without also attaching to the owning user namespace.

brauner 2017-11-08 19:22:44 UTC #4

Reading Stéphane's answer you could use:

sudo nsenter --mount=/proc/<container-init-id/ns/mnt --ipc=/proc/<container-init-pid>/ns/pid

stgraber 2017-11-08 19:22:48 UTC #5

sudo nsenter -i -m -t 14628 bash

Where 14628 is a PID inside the container. From that shell you can then modify the mqueue limit.