Provide pid_max namespace support
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Triaged
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* Allow setting lower pid_max on per namespace basis, to support legacy workloads on modern hosts.
* Cherrypick patches from https:/
[Test Plan]
Setup:
cat <<EOF | sudo tee /var/snap/
#!/bin/sh
echo 65536 > "\${LXC_
EOF
sudo chmod +x /var/snap/
echo "lxc.hook.
lxc launch -c raw.lxc=
== Test Results ==
Large value on the host:
sudo sysctl -a | grep pid_max
kernel.pid_max = 4194304
Small value in the container:
lxc exec small-pid-container -- sysctl -a 2>/dev/null | grep pid_max
kernel.pid_max = 65536
[Where problems could occur]
* These are out-of-the-tree sauce patches not yet applied upstream, there appear to be permissions issues inside user namespaces of being able to self-lower the limit without being cap_sysadmin in the parent namespace. Implementation upstream may change, with different permissions and semantics. By default, currently pid_max is very large, and thus it shouldn't be needed to lower that at all on the host.
Changed in linux (Ubuntu): | |
status: | New → Triaged |
description: | updated |
description: | updated |
description: | updated |
Changing pid_max on the host to a lower value, kept high value in the container.