PThread permissions problem after upgrading host to 19.10

Hello, I setup an Ubuntu 16.04 container on a host running Ubuntu 16.04 using the snap version of LXD 3.0.4. Everything was working great, so I upgraded the host to Ubuntu 19.10, and now I’m getting this error from my application in the container:

2019-12-11_18:59:26:02383 00:00:00:000 WARNING - PThread::_start: SCHED_FIFO - Failed to set scheduling parameters for PThreadPool

I suspect this is related to the SYS_NICE permission, but I’m not sure. I tried granting SYS_NICE via the raw.lxc setting, but that just took away other needed capabilities and it didn’t work well.

I read somewhere that the latest LXD grants all capabilities to unprivileged containers, so I tried upgrading to 3.18, but that didn’t help either.

Any advice would be appreciated.

did you try

lxc config set mycontainer raw.lxc 'lxc.apparmor.profile=unconfined'

Granted if it’s a priviledged container it’s really not good from security point of view, but at least it could bring a negative information.

Thanks for the suggestion - I just tried it and got the same result. I am researching doing something similar with the cgroup cpu settings, based on this thread, but I don’t know how to apply the fix to lxc containers.

This post even mentions the same permissions:

I’ve also tried making the container privileged and restarting, but that did not help:

lxc config set c1 security.privileged true

ok, figured it out - it was a two step fix which is what make it tricky. First, you need to run the container in privileged mode, as I posted above:

lxc config set c1 security.privileged true

then stop and start the container. Then I was able to run my process as root (with sudo), and it worked fine. I could probably mess with the permissions inside the container to get this working as a regular user, but this is good enough for me.

If anyone cares, I found the C test program near the top of this thread useful for diagnostics:

  1. Run it as root - if permissions are denied, your container isn’t privileged
  2. Once it works as root, your problem is within the container, sudo should help.