| 2022-04-13 12:37:53 |
Dimitri John Ledkov |
bug |
|
|
added bug |
| 2022-04-13 12:38:02 |
Dimitri John Ledkov |
bug |
|
|
added subscriber Stéphane Graber |
| 2022-04-13 12:38:08 |
Dimitri John Ledkov |
bug |
|
|
added subscriber Simon Fels |
| 2022-04-13 12:38:28 |
Dimitri John Ledkov |
linux (Ubuntu): status |
New |
Triaged |
|
| 2022-04-13 14:26:33 |
Simon Déziel |
bug |
|
|
added subscriber Simon Déziel |
| 2022-04-14 11:17:24 |
Dimitri John Ledkov |
description |
[Impact]
* Allow setting lower pid_max on per namespace basis, to support legacy workloads on modern hosts.
* Cherrypick patches from https://gitlab.com/brauner/linux/-/commits/pid_max_namespacing/
[Test Plan]
* Launch lxd container and lower pid_max in the container by doing echo 65536 > /path/to/proc/in/c0/mnt/namespace/proc/sys/kernel/pid_max from outside of the container
* Observe that pid_max is lowered inside the container relative the host
[Where problems could occur]
* These are out-of-the-tree sauce patches not yet applied upstream, there appear to be permissions issues inside user namespaces of being able to self-lower the limit without being cap_sysadmin in the parent namespace. Implementation upstream may change, with different permissions and semantics. By default, currently pid_max is very large, and thus it shouldn't be needed to lower that at all on the host. |
[Impact]
* Allow setting lower pid_max on per namespace basis, to support legacy workloads on modern hosts.
* Cherrypick patches from https://gitlab.com/brauner/linux/-/commits/pid_max_namespacing/
[Test Plan]
Setup:
cat <<EOF | sudo tee /var/snap/lxd/common/set-pid-max
#!/bin/sh
echo 65536 > "\${LXC_ROOTFS_MOUNT}"/proc/sys/kernel/pid_max
EOF
sudo chmod +x /var/snap/lxd/common/set-pid-max
echo "lxc.hook.mount=\$SNAP_COMMON/set-pid-max" | sudo tee /var/snap/lxd/common/set-pid-max.config
lxc launch -c raw.lxc="lxc.include = /var/snap/lxd/common/set-pid-max.config" ubuntu-daily:jammy
lxc launch -c raw.lxc="lxc.include = /var/snap/lxd/common/set-pid-max.config" ubuntu-daily:jammy small-pid-container
== Test Results ==
Large value on the host:
sudo sysctl -a | grep pid_max
kernel.pid_max = 4194304
Small value in the container:
lxc exec small-pid-container -- sysctl -a 2>/dev/null | grep pid_max
Expected value: kernel.pid_max = 65536
[Where problems could occur]
* These are out-of-the-tree sauce patches not yet applied upstream, there appear to be permissions issues inside user namespaces of being able to self-lower the limit without being cap_sysadmin in the parent namespace. Implementation upstream may change, with different permissions and semantics. By default, currently pid_max is very large, and thus it shouldn't be needed to lower that at all on the host. |
|
| 2022-04-14 11:18:20 |
Dimitri John Ledkov |
description |
[Impact]
* Allow setting lower pid_max on per namespace basis, to support legacy workloads on modern hosts.
* Cherrypick patches from https://gitlab.com/brauner/linux/-/commits/pid_max_namespacing/
[Test Plan]
Setup:
cat <<EOF | sudo tee /var/snap/lxd/common/set-pid-max
#!/bin/sh
echo 65536 > "\${LXC_ROOTFS_MOUNT}"/proc/sys/kernel/pid_max
EOF
sudo chmod +x /var/snap/lxd/common/set-pid-max
echo "lxc.hook.mount=\$SNAP_COMMON/set-pid-max" | sudo tee /var/snap/lxd/common/set-pid-max.config
lxc launch -c raw.lxc="lxc.include = /var/snap/lxd/common/set-pid-max.config" ubuntu-daily:jammy
lxc launch -c raw.lxc="lxc.include = /var/snap/lxd/common/set-pid-max.config" ubuntu-daily:jammy small-pid-container
== Test Results ==
Large value on the host:
sudo sysctl -a | grep pid_max
kernel.pid_max = 4194304
Small value in the container:
lxc exec small-pid-container -- sysctl -a 2>/dev/null | grep pid_max
Expected value: kernel.pid_max = 65536
[Where problems could occur]
* These are out-of-the-tree sauce patches not yet applied upstream, there appear to be permissions issues inside user namespaces of being able to self-lower the limit without being cap_sysadmin in the parent namespace. Implementation upstream may change, with different permissions and semantics. By default, currently pid_max is very large, and thus it shouldn't be needed to lower that at all on the host. |
[Impact]
* Allow setting lower pid_max on per namespace basis, to support legacy workloads on modern hosts.
* Cherrypick patches from https://gitlab.com/brauner/linux/-/commits/pid_max_namespacing/
[Test Plan]
Setup:
cat <<EOF | sudo tee /var/snap/lxd/common/set-pid-max
#!/bin/sh
echo 65536 > "\${LXC_ROOTFS_MOUNT}"/proc/sys/kernel/pid_max
EOF
sudo chmod +x /var/snap/lxd/common/set-pid-max
echo "lxc.hook.mount=\$SNAP_COMMON/set-pid-max" | sudo tee /var/snap/lxd/common/set-pid-max.config
lxc launch -c raw.lxc="lxc.include = /var/snap/lxd/common/set-pid-max.config" ubuntu-daily:jammy small-pid-container
== Test Results ==
Large value on the host:
sudo sysctl -a | grep pid_max
kernel.pid_max = 4194304
Small value in the container:
lxc exec small-pid-container -- sysctl -a 2>/dev/null | grep pid_max
Expected value: kernel.pid_max = 65536
[Where problems could occur]
* These are out-of-the-tree sauce patches not yet applied upstream, there appear to be permissions issues inside user namespaces of being able to self-lower the limit without being cap_sysadmin in the parent namespace. Implementation upstream may change, with different permissions and semantics. By default, currently pid_max is very large, and thus it shouldn't be needed to lower that at all on the host. |
|
| 2022-04-14 11:22:00 |
Dimitri John Ledkov |
description |
[Impact]
* Allow setting lower pid_max on per namespace basis, to support legacy workloads on modern hosts.
* Cherrypick patches from https://gitlab.com/brauner/linux/-/commits/pid_max_namespacing/
[Test Plan]
Setup:
cat <<EOF | sudo tee /var/snap/lxd/common/set-pid-max
#!/bin/sh
echo 65536 > "\${LXC_ROOTFS_MOUNT}"/proc/sys/kernel/pid_max
EOF
sudo chmod +x /var/snap/lxd/common/set-pid-max
echo "lxc.hook.mount=\$SNAP_COMMON/set-pid-max" | sudo tee /var/snap/lxd/common/set-pid-max.config
lxc launch -c raw.lxc="lxc.include = /var/snap/lxd/common/set-pid-max.config" ubuntu-daily:jammy small-pid-container
== Test Results ==
Large value on the host:
sudo sysctl -a | grep pid_max
kernel.pid_max = 4194304
Small value in the container:
lxc exec small-pid-container -- sysctl -a 2>/dev/null | grep pid_max
Expected value: kernel.pid_max = 65536
[Where problems could occur]
* These are out-of-the-tree sauce patches not yet applied upstream, there appear to be permissions issues inside user namespaces of being able to self-lower the limit without being cap_sysadmin in the parent namespace. Implementation upstream may change, with different permissions and semantics. By default, currently pid_max is very large, and thus it shouldn't be needed to lower that at all on the host. |
[Impact]
* Allow setting lower pid_max on per namespace basis, to support legacy workloads on modern hosts.
* Cherrypick patches from https://gitlab.com/brauner/linux/-/commits/pid_max_namespacing/
[Test Plan]
Setup:
cat <<EOF | sudo tee /var/snap/lxd/common/set-pid-max
#!/bin/sh
echo 65536 > "\${LXC_ROOTFS_MOUNT}"/proc/sys/kernel/pid_max
EOF
sudo chmod +x /var/snap/lxd/common/set-pid-max
echo "lxc.hook.mount=\$SNAP_COMMON/set-pid-max" | sudo tee /var/snap/lxd/common/set-pid-max.config
lxc launch -c raw.lxc="lxc.include = /var/snap/lxd/common/set-pid-max.config" ubuntu-daily:jammy small-pid-container
== Test Results ==
Large value on the host:
sudo sysctl -a | grep pid_max
kernel.pid_max = 4194304
Small value in the container:
lxc exec small-pid-container -- sysctl -a 2>/dev/null | grep pid_max
kernel.pid_max = 65536
[Where problems could occur]
* These are out-of-the-tree sauce patches not yet applied upstream, there appear to be permissions issues inside user namespaces of being able to self-lower the limit without being cap_sysadmin in the parent namespace. Implementation upstream may change, with different permissions and semantics. By default, currently pid_max is very large, and thus it shouldn't be needed to lower that at all on the host. |
|
