Provide pid_max namespace support

Bug #1968886 reported by Dimitri John Ledkov
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Triaged
Undecided
Unassigned

Bug Description

[Impact]

 * Allow setting lower pid_max on per namespace basis, to support legacy workloads on modern hosts.

 * Cherrypick patches from https://gitlab.com/brauner/linux/-/commits/pid_max_namespacing/

[Test Plan]

Setup:

cat <<EOF | sudo tee /var/snap/lxd/common/set-pid-max
#!/bin/sh
echo 65536 > "\${LXC_ROOTFS_MOUNT}"/proc/sys/kernel/pid_max
EOF

sudo chmod +x /var/snap/lxd/common/set-pid-max

echo "lxc.hook.mount=\$SNAP_COMMON/set-pid-max" | sudo tee /var/snap/lxd/common/set-pid-max.config

lxc launch -c raw.lxc="lxc.include = /var/snap/lxd/common/set-pid-max.config" ubuntu-daily:jammy small-pid-container

== Test Results ==
Large value on the host:

sudo sysctl -a | grep pid_max
kernel.pid_max = 4194304

Small value in the container:
lxc exec small-pid-container -- sysctl -a 2>/dev/null | grep pid_max
kernel.pid_max = 65536

[Where problems could occur]

 * These are out-of-the-tree sauce patches not yet applied upstream, there appear to be permissions issues inside user namespaces of being able to self-lower the limit without being cap_sysadmin in the parent namespace. Implementation upstream may change, with different permissions and semantics. By default, currently pid_max is very large, and thus it shouldn't be needed to lower that at all on the host.

Changed in linux (Ubuntu):
status: New → Triaged
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Changing pid_max on the host to a lower value, kept high value in the container.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Entering mount & pid namespace, as initial namespace root does not let me set pid_max inside the container.

description: updated
description: updated
description: updated
Revision history for this message
Gary.Wang (gary-wzl77) wrote :

I gave it a try with the test kernel shared by Dimitri.

1. Launch a jammy(kernel version: 5.15.0-25-generic) based LXD VM locally
2. Disable the security boot.
3. Install the test kernels (version: 5.15.0-26-generic)
4. Reboot the VM
5. Install the latest lxd snap(5.0.0-e478009) from the store
6. Run the test plan
```
ubuntu@jammy-kernel-lp1968886:~$ sudo sysctl -a | grep pid_max
kernel.pid_max = 4194304
ubuntu@jammy-kernel-lp1968886:~$ lxc exec small-pid-container -- sysctl -a 2>/dev/null | grep pid_max
kernel.pid_max = 65536
```

The test results matched what we expected.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.