Setting fs.mqueue.msg_max in container

I need to set a privileged container to:

And I fail. I set the host to those values, and trying to set the container directly says:
echo 6000 > /proc/sys/fs/mqueue/msg_max
bash: /proc/sys/fs/mqueue/msg_max: Read-only file system

I am running a privileged container as root… config as follows:

architecture: x86_64
image.architecture: amd64
image.description: ubuntu 18.04 LTS amd64 (release) (20190212.1)
image.label: release
image.os: ubuntu
image.release: bionic
image.serial: “20190212.1”
image.version: “18.04”
security.privileged: “true”
volatile.base_image: 35f6bff57c250208c6dc73445eefe8c1020853a1bc8571ebd8bfb1fe3a239504
volatile.eth0.hwaddr: 00:16:3e:9d:88:32
volatile.idmap.base: “0” ‘[]’
volatile.last_state.idmap: ‘[]’
volatile.last_state.power: RUNNING
ephemeral: false

  • default
    stateful: false
    description: “”

Appreciate any info on docs that I have obviously missed, or tips.

Ah yeah, we do quite heavily protect /proc in privileged containers due to the very high risk of damage to the host when random sysctls get applied which aren’t properly namespaced.

In this case, you may be able to workaround this with something like:

printf "\ sys:mixed" | lxc config set NAME raw.lxc

printf “\ sys:mixed” | lxc config set u64 raw.lxc
Error: cannot set ‘u64’ to ‘raw.lxc’: unknown key

I had to enter the first part of the key only, the edit the config. So the config has :

raw.lxc: sys:mixed

In the container, Now I get:
echo 6000 > /proc/sys/fs/mqueue/msg_max
bash: /proc/sys/fs/mqueue/msg_max: Permission denied

So it is different, but still bad.


Ah, so now it’s probably apparmor blocking it too which is a bit annoying because it’s hard to allow something that was blocked on purpose…

One workaround is to turn off apparmor for your container but that’s effectively turning off all security at that point.

printf “\ sys:mixed\nlxc.apparmor.profile=unconfined” | lxc config set u64 raw.lxc -