Setting fs.mqueue.msg_max in container

Floyd_Brown · February 27, 2019, 6:57pm

I need to set a privileged container to:
fs.mqueue.msg_max=6000
fs.mqueue.msgsize_max=8192
fs.mqueue.queues_max=512

And I fail. I set the host to those values, and trying to set the container directly says:
echo 6000 > /proc/sys/fs/mqueue/msg_max
bash: /proc/sys/fs/mqueue/msg_max: Read-only file system

I am running a privileged container as root… config as follows:

architecture: x86_64
config:
image.architecture: amd64
image.description: ubuntu 18.04 LTS amd64 (release) (20190212.1)
image.label: release
image.os: ubuntu
image.release: bionic
image.serial: “20190212.1”
image.version: “18.04”
security.privileged: “true”
volatile.base_image: 35f6bff57c250208c6dc73445eefe8c1020853a1bc8571ebd8bfb1fe3a239504
volatile.eth0.hwaddr: 00:16:3e:9d:88:32
volatile.idmap.base: “0”
volatile.idmap.next: ‘[]’
volatile.last_state.idmap: ‘[]’
volatile.last_state.power: RUNNING
devices:
ephemeral: false
profiles:

default
stateful: false
description: “”

Appreciate any info on docs that I have obviously missed, or tips.

stgraber · February 28, 2019, 8:06am

Ah yeah, we do quite heavily protect /proc in privileged containers due to the very high risk of damage to the host when random sysctls get applied which aren’t properly namespaced.

In this case, you may be able to workaround this with something like:

printf "lxc.mount.auto=\nlxc.mount.auto=proc:rw sys:mixed" | lxc config set NAME raw.lxc

Floyd_Brown · February 28, 2019, 2:28pm

printf “lxc.mount.auto=\nlxc.mount.auto=proc:rw sys:mixed” | lxc config set u64 raw.lxc
Error: cannot set ‘u64’ to ‘raw.lxc’: unknown key

I had to enter the first part of the key only, the edit the config. So the config has :
…
raw.lxc: lxc.mount.auto=proc:rw sys:mixed
…

In the container, Now I get:
echo 6000 > /proc/sys/fs/mqueue/msg_max
bash: /proc/sys/fs/mqueue/msg_max: Permission denied

So it is different, but still bad.

Thanks

stgraber · February 28, 2019, 2:44pm

Ah, so now it’s probably apparmor blocking it too which is a bit annoying because it’s hard to allow something that was blocked on purpose…

One workaround is to turn off apparmor for your container but that’s effectively turning off all security at that point.

printf “lxc.mount.auto=\nlxc.mount.auto=proc:rw sys:mixed\nlxc.apparmor.profile=unconfined” | lxc config set u64 raw.lxc -