[SOLVED] I was wondering if i can update the kernel parameters of lxc guest OS?

[cqh]

I was wondering if i can update the kernel parameters of lxc guest OS like the way i used bellow?


Can anybody help me?

 

[leesteken]

Containers share the same kernel with each other and the Proxmox host. You cannot change kernel parameters from within a container by design. You can change the kernel parameters of the Proxmox host, which (after a reboot) will probably be visible inside the container.

 

[LnxBil]

most sysctl parameters should be directly visible after the change. The only one I know which may require a reboot is hugepages, if you do not have any consecutive memory laying around.

 

[cqh]

Containers share the same kernel with each other and the Proxmox host. You cannot change kernel parameters from within a container by design. You can change the kernel parameters of the Proxmox host, which (after a reboot) will probably be visible inside the container.

Thank you again for your advice.

In fact, I have tried it as you said.Things I've done thus far:

• change the kernel parameters of the Proxmox host,and it output:
• 
  
• And then I reboot the host.
• It seems that the kernel parameters in the container have not changed.
• 

It has been bothering me for several days.
Thank you again for your advice.

 

[LnxBil]

I think you need to change the AppArmor restrictions or set capabilities on the LX(C) container in order to get it to work. I have no idea how to loosen the security of the container in order to get it to work. Maybe a real VM would be better here and easier to setup?

 

[cqh]

I think you need to change the AppArmor restrictions or set capabilities on the LX(C) container in order to get it to work. I have no idea how to loosen the security of the container in order to get it to work. Maybe a real VM would be better here and easier to setup?

Thanks for your reply.
I have no idea to loosen the security of the container too
I agree that Containers share the same kernel with the Proxmox host. But it did not work while I changed the kernel parameters.Maybe I overlooked something that caused it not to work properly.
Thank you again.

 

[LnxBil]

I agree that Containers share the same kernel with the Proxmox host. But it did not work while I changed the kernel parameters.Maybe I overlooked something that caused it not to work properly.

You cannot change the virtualized parameter you see inside of your container. I debugged it and setting it to unconfined does also not work. You need to create a new apparmor profile in order to get it to work. I would stop here and switch to KVM ... I would not mess around with default security settings so deep.

Why do you need to change the setting in the first place?

 

[cqh]

You cannot change the virtualized parameter you see inside of your container. I debugged it and setting it to unconfined does also not work. You need to create a new apparmor profile in order to get it to work. I would stop here and switch to KVM ... I would not mess around with default security settings so deep.

Why do you need to change the setting in the first place?

I installed Proxmox on my home box with the N5105 CPU. It got some problems about crashing VMs.Like the example here: https://forum.proxmox.com/threads/vm-freezes-irregularly.111494/
I switched to Lxc and it work well.
I have an application that must use the message queue of Linux,and found no way to change the kernel parameters from within a container.

could you give a example to create a new apparmor profile please?
Thank you again.

 

[LnxBil]

could you give a example to create a new apparmor profile please?

I have never created one until now, but I cannot get it to work:

root@proxmox ~ > cat /etc/apparmor.d/lxc/lxc-default-113710
profile lxc-container-113710 flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  allow /proc/sys/kernel/msg*/** ra,
  allow /proc/sys/kernel/msg* ra,
}

Reloading:

apparmor_parser -r /etc/apparmor.d/lxc-containers

Adding profile:

root@proxmox ~ > tail -1 /etc/pve/lxc/100.conf
lxc.apparmor.profile: lxc-container-113710

And trying:

root@proxmox ~ > pct start 100
explicitly configured lxc.apparmor.profile overrides the following settings: features:nesting

root@proxmox ~ > pct exec 100 -- sysctl -w kernel.msgmnb=32768
sysctl: error setting key 'kernel.msgmnb': Read-only file system

Yet still no luck. Maybe you can get it to work from here.

 

[cqh]

I have never created one until now, but I cannot get it to work:

root@proxmox ~ > cat /etc/apparmor.d/lxc/lxc-default-113710
profile lxc-container-113710 flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  allow /proc/sys/kernel/msg*/** ra,
  allow /proc/sys/kernel/msg* ra,
}

Reloading:

apparmor_parser -r /etc/apparmor.d/lxc-containers

Adding profile:

root@proxmox ~ > tail -1 /etc/pve/lxc/100.conf
lxc.apparmor.profile: lxc-container-113710

And trying:

root@proxmox ~ > pct start 100
explicitly configured lxc.apparmor.profile overrides the following settings: features:nesting

root@proxmox ~ > pct exec 100 -- sysctl -w kernel.msgmnb=32768
sysctl: error setting key 'kernel.msgmnb': Read-only file system

Yet still no luck. Maybe you can get it to work from here.

I have tried two scenarios of privileged container and non privileged container by modifying AppArmor profile, but it is still no luck so far.
Maybe I should read the Proxmox manual carefully.
Anyway, thank you for your help.

 

[cqh]

It works, however only for privileged containers.
Setting kernel parameters of the container in "/etc/pve/lxc/CTid.conf" (privileged container)
lxc.mount.auto: proc:rw lxc.sysctl.kernel.msgmnb: 134217728 lxc.sysctl.kernel.msgmax: 65536

 

[LnxBil]

Thank you for reporting back with an solution, great!

 

[cqh]

Thanks you all for your ideas.