Unprivileged LXC fails to start when using lxc.sysctl.*

0

0xFelix

Member
Oct 25, 2017
23
2
8
31
Hello!

I tried to setup Gitlab in an unprivileged LXC.

As already discussed in other threads Gitlab wants to set some sysctls to specific values.

To be exact:

Code: 
kernel.shmall = 4194304
kernel.sem = 250 32000 32 262
net.core.somaxconn = 1024
kernel.shmmax = 17179869184

In older versions of PVE it was sufficient to set these values on the host and then they would get passed down into every LXC.

This commit in the LXC repository introduced the lxc.sysctl.* parameter: https://github.com/lxc/lxc/issues/989
And according to https://bugzilla.proxmox.com/show_bug.cgi?id=1785#c5 this should also work on PVE.

I added the following lines to my LXC config:

Code: 
lxc.mount.auto: proc:rw
lxc.sysctl.kernel.shmall: 4194304
lxc.sysctl.kernel.sem: 250 32000 32 262
lxc.sysctl.kernel.shmmax: 17179869184

My problem is that the LXC fails to start when it is set to unprivileged.
The previous solution also worked with unprivileged LXCs. Is this a bug?

According to the linked GIthub issue this should also work with user namespaces / unprivileged LXCs.
 
No, that cannot work for unprivileged CTs for now.
Your linked Github issue also nowhere mentions unprivileged at all, AFAICT only privileged work.

So either:
  • Use a privileged CT (you can select this on CT create, or backup+restore and choose priviledged on CT restore)
  • Set the settings on the host (probably not too ideal as it affects all)
  • use a Virtual Machine
 
I had the same problem, trying to install Gitlab in an unprivileged LXC with Debian. I also tried Ubuntu, because this issue suggests that it is not affected, but with the same result.

However (and surprisingly), I was successfull running the official Gitlab Docker, inside Docker on LXC (unprivileged, Debian) in Proxmox. I am not sure whether the folks who maintain the official Docker image modified the parts where it tries to set sysctls settings.

I followed these steps to set up Docker in unprivileged LXC.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom