How lxc can access host's kernel parameters?

Sasha

Sasha

Well-Known Member
Proxmox Subscriber
Oct 18, 2018
111
1
58
Kazahstan
Here You are a result of comand in lxc guest:
Code: 
sysctl -a | grep -E "net.core.rmem_default|net.core.rmem_max|net.core.wmem_default|net.core.wmem_max"

sysctl: reading key "kernel.apparmor_display_secid_mode"
sysctl: reading key "kernel.apparmor_restrict_unprivileged_io_uring"
sysctl: reading key "kernel.apparmor_restrict_unprivileged_userns_complain"
sysctl: reading key "kernel.apparmor_restrict_unprivileged_userns_force"
sysctl: reading key "kernel.unprivileged_userns_apparmor_policy"

but host returns

net.core.rmem_default = 262144
net.core.rmem_max = 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 1048576

Is it possible guest to get that parameters?
 
Last edited:
works here, but you might want to redirect stderr to /dev/null to not miss it in the forest of errors?

if it doesn't work for you, please post "pveversion -v" and "pct config XXX"
 
Here You are:

pveversion -v

proxmox-ve: 8.4.0 (running kernel: 6.8.12-9-pve)
pve-manager: 8.4.1 (running version: 8.4.1/2a5fa54a8503f96d)
proxmox-kernel-helper: 8.1.1
pve-kernel-5.15: 7.4-15
proxmox-kernel-6.8: 6.8.12-9
proxmox-kernel-6.8.12-9-pve-signed: 6.8.12-9
proxmox-kernel-6.8.12-8-pve-signed: 6.8.12-8
proxmox-kernel-6.8.12-4-pve-signed: 6.8.12-4
proxmox-kernel-6.8.8-4-pve-signed: 6.8.8-4
pve-kernel-5.15.158-2-pve: 5.15.158-2
pve-kernel-5.15.131-2-pve: 5.15.131-3
pve-kernel-5.15.102-1-pve: 5.15.102-1
ceph-fuse: 16.2.15+ds-0+deb12u1
corosync: 3.1.9-pve1
criu: 3.17.1-2+deb12u1
glusterfs-client: 10.3-5
ifupdown2: 3.2.0-1+pmx11
ksm-control-daemon: 1.5-1
libjs-extjs: 7.0.0-5
libknet1: 1.30-pve2
libproxmox-acme-perl: 1.6.0
libproxmox-backup-qemu0: 1.5.1
libproxmox-rs-perl: 0.3.5
libpve-access-control: 8.2.2
libpve-apiclient-perl: 3.3.2
libpve-cluster-api-perl: 8.1.0
libpve-cluster-perl: 8.1.0
libpve-common-perl: 8.3.1
libpve-guest-common-perl: 5.2.2
libpve-http-server-perl: 5.2.2
libpve-network-perl: 0.11.2
libpve-rs-perl: 0.9.4
libpve-storage-perl: 8.3.6
libspice-server1: 0.15.1-1
lvm2: 2.03.16-2
lxc-pve: 6.0.0-1
lxcfs: 6.0.0-pve2
novnc-pve: 1.6.0-2
proxmox-backup-client: 3.4.0-1
proxmox-backup-file-restore: 3.4.0-1
proxmox-firewall: 0.7.1
proxmox-kernel-helper: 8.1.1
proxmox-mail-forward: 0.3.2
proxmox-mini-journalreader: 1.4.0
proxmox-widget-toolkit: 4.3.10
pve-cluster: 8.1.0
pve-container: 5.2.6
pve-docs: 8.4.0
pve-edk2-firmware: 4.2025.02-3
pve-esxi-import-tools: 0.7.3
pve-firewall: 5.1.1
pve-firmware: 3.15-3
pve-ha-manager: 4.0.7
pve-i18n: 3.4.2
pve-qemu-kvm: 9.2.0-5
pve-xtermjs: 5.5.0-2
qemu-server: 8.3.12
smartmontools: 7.3-pve1
spiceterm: 3.3.0
swtpm: 0.8.0+pve1
vncterm: 1.8.0
zfsutils-linux: 2.2.7-pve2

pct config 103

arch: amd64
cores: 8
features: nesting=1
hostname: db.mydomain
memory: 65536
mp0: /files/share,mp=/opt/share,replicate=0
nameserver: xxx.xxx.xxx.xxx.
net0: name=eth0,bridge=vmbr1,gw=10.1.1.112,hwaddr=BC:24:11:92:0B:6B,ip=10.1.1.103/24,type=veth
onboot: 0
ostype: centos
rootfs: local-zfs:subvol-103-disk-0,size=200G
searchdomain: mydomain
startup: order=1
swap: 16384
 
1. your container is privileged, which is not recommended
2. the command works for both privileged and unprivileged containers..

could you post the full output of "sysctl -a -r net.core"
 
HOST

net.core.bpf_jit_enable = 1
net.core.bpf_jit_harden = 0
net.core.bpf_jit_kallsyms = 1
net.core.bpf_jit_limit = 528482304
net.core.busy_poll = 0
net.core.busy_read = 0
net.core.default_qdisc = pfifo_fast
net.core.dev_weight = 64
net.core.dev_weight_rx_bias = 1
net.core.dev_weight_tx_bias = 1
net.core.devconf_inherit_init_net = 0
net.core.fb_tunnels_only_for_init_net = 0
net.core.flow_limit_cpu_bitmap = 000
net.core.flow_limit_table_len = 4096
net.core.gro_normal_batch = 8
net.core.high_order_alloc_disable = 0
net.core.max_skb_frags = 17
net.core.mem_pcpu_rsv = 256
net.core.message_burst = 10
net.core.message_cost = 5
net.core.netdev_budget = 300
net.core.netdev_budget_usecs = 2000
net.core.netdev_max_backlog = 1000
net.core.netdev_rss_key = 27:53:fa:fc:66:3a:e1:44:dc:7c:ca:63:92:dd:d4:75:15:64:5a:b0:ec:fc:0e:a5:51:87:75:ec:2a:f2:06:4f:8b:23:0f:0a:14:a3:78:b6:a6:12:e1:5d:49:5c:05:85:28:ac:ea:88
net.core.netdev_tstamp_prequeue = 1
net.core.netdev_unregister_timeout_secs = 10
net.core.optmem_max = 131072
net.core.rmem_default = 262144
net.core.rmem_max = 4194304
net.core.rps_default_mask = 000
net.core.rps_sock_flow_entries = 0
net.core.skb_defer_max = 64
net.core.somaxconn = 4096
net.core.tstamp_allow_data = 1
net.core.txrehash = 1
net.core.warnings = 0
net.core.wmem_default = 262144
net.core.wmem_max = 1048576
net.core.xfrm_acq_expires = 30
net.core.xfrm_aevent_etime = 10
net.core.xfrm_aevent_rseqth = 2
net.core.xfrm_larval_drop = 1

GUEST 103

net.core.optmem_max = 131072
net.core.rps_default_mask = 000
net.core.somaxconn = 4096
net.core.txrehash = 1
net.core.xfrm_acq_expires = 30
net.core.xfrm_aevent_etime = 10
net.core.xfrm_aevent_rseqth = 2
net.core.xfrm_larval_drop = 1
 
could you also post the output of "mount" from within the container?
 
rpool/data/subvol-103-disk-0 on / type zfs (rw,relatime,xattr,posixacl,casesensitive)
files on /opt/share type zfs (rw,relatime,xattr,noacl,casesensitive)
none on /dev type tmpfs (rw,relatime,size=492k,mode=755,inode64)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sys/net type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sys type proc (ro,relatime)
proc on /proc/sysrq-trigger type proc (ro,relatime)
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)
sysfs on /sys/devices/virtual/net type sysfs (rw,nosuid,nodev,noexec,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
proc on /dev/.lxc/proc type proc (rw,relatime)
sys on /dev/.lxc/sys type sysfs (rw,relatime)
none on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime)
lxcfs on /proc/cpuinfo type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/diskstats type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/loadavg type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/meminfo type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/slabinfo type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/stat type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/swaps type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/uptime type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /sys/devices/system/cpu type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666,max=1026)
devpts on /dev/ptmx type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666,max=1026)
devpts on /dev/lxc/console type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666,max=1026)
devpts on /dev/console type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666,max=1026)
devpts on /dev/lxc/tty1 type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666,max=1026)
devpts on /dev/lxc/tty2 type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666,max=1026)
none on /proc/sys/kernel/random/boot_id type tmpfs (ro,nosuid,nodev,noexec,relatime,size=492k,mode=755,inode64)
tmpfs on /dev/shm type tmpfs (rw,size=58720256k,inode64)
tmpfs on /run type tmpfs (rw,nosuid,nodev,size=26359172k,nr_inodes=819200,mode=755,inode64)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
tmpfs on /run/user/0 type tmpfs (rw,nosuid,nodev,relatime,size=13179584k,nr_inodes=3294896,mode=700,inode64)
 
which centos version? anything visible in the container startup logs?
 
Let's go easier way. Here You are from GUEST 102 (Debian 12).
Linux app 6.8.12-9-pve #1 SMP PREEMPT_DYNAMIC PMX 6.8.12-9 (2025-03-16T19:18Z) x86_64 GNU/Linux

It has no any difference. Any guest can't access that kernel parameters (((

arch: amd64
cores: 2
features: nesting=1
hostname: app.mydomain
memory: 4096
mp0: /files/share,mp=/opt/share,replicate=0
nameserver: xxx.xxx.xxx.xxx
net0: name=eth0,bridge=vmbr1,gw=10.1.1.112,hwaddr=32:F53D:C9:BB,ip=10.1.1.102/24,type=veth
onboot: 0
ostype: debian
rootfs: local-zfs:subvol-102-disk-1,size=20G
searchdomain: mydomain
startup: order=3
swap: 2048

net.core.optmem_max = 131072
net.core.rps_default_mask = 000
net.core.somaxconn = 4096
net.core.txrehash = 1
net.core.xfrm_acq_expires = 30
net.core.xfrm_aevent_etime = 10
net.core.xfrm_aevent_rseqth = 2
net.core.xfrm_larval_drop = 1

rpool/data/subvol-102-disk-1 on / type zfs (rw,relatime,xattr,posixacl,casesensitive)
files on /opt/share type zfs (rw,relatime,xattr,noacl,casesensitive)
none on /dev type tmpfs (rw,relatime,size=492k,mode=755,inode64)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sys/net type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sys type proc (ro,relatime)
proc on /proc/sysrq-trigger type proc (ro,relatime)
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)
sysfs on /sys/devices/virtual/net type sysfs (rw,nosuid,nodev,noexec,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
proc on /dev/.lxc/proc type proc (rw,relatime)
sys on /dev/.lxc/sys type sysfs (rw,relatime)
none on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime)
lxcfs on /proc/cpuinfo type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/diskstats type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/loadavg type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/meminfo type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/slabinfo type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/stat type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/swaps type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/uptime type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /sys/devices/system/cpu type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666,max=1026)
devpts on /dev/ptmx type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666,max=1026)
devpts on /dev/console type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666,max=1026)
devpts on /dev/tty1 type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666,max=1026)
devpts on /dev/tty2 type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666,max=1026)
none on /proc/sys/kernel/random/boot_id type tmpfs (ro,nosuid,nodev,noexec,relatime,size=492k,mode=755,inode64)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
tmpfs on /run type tmpfs (rw,nosuid,nodev,size=26359172k,nr_inodes=819200,mode=755,inode64)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
ramfs on /run/credentials/systemd-sysctl.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
ramfs on /run/credentials/systemd-sysusers.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
ramfs on /run/credentials/systemd-tmpfiles-setup-dev.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
ramfs on /run/credentials/systemd-tmpfiles-setup.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
tmpfs on /run/user/0 type tmpfs (rw,nosuid,nodev,relatime,size=13179584k,nr_inodes=3294896,mode=700,inode64)
 
Last edited:
(this is again a privileged container with nesting - is there a reason for this highly unusual and discouraged config? I still don't see this behaviour even with such a config, but wanted to note it once more ;))

could you please post the journal from inside the container ("journalctl -b") as well as the host journal covering the startup?
 
  • Like
Reactions: Johannes S
What's about "highly unusual and discouraged config" AFAIK it works about 10 years and nobody interested why some past admin made this 8|
journalctl -b of restarting attached.
 
alexskysilk said:
It effectively undoes the whole point of a container. may as well do whatever it is you're doing on the host since you don't have meaningful separation doing it in the way you are.
Click to expand...
I do appreciate for Your competent opinion but would You clarify how i can permit containers reading that?
sysctl -a | grep -E "net.core.rmem_default|net.core.rmem_max|net.core.wmem_default|net.core.wmem_max"
 
the host logs are cut off before the relevant part unfortunately..

regarding the config:
- privileged containers should only be used if there is a reason that requires it and the workload inside is trusted
 
  • Like
Reactions: Johannes S
It's hard to understand how host log can be cut off 8( I just rebooted host and wating log was fullfilled.
Would You let me know what substrings combination we are looking for?
 
Last edited:
there's no trace of a container start there (maybe you misunderstood me? I meant the host logs covering the container startup ;))
 
  • Like
Reactions: Sasha
okay, nothing out of the ordinary there.. just to make sure - do you see the same behaviour with an unprivileged container?
 
You must log in or register to reply here.
Top Bottom