- corosync runs as root... so its unclear to me it would fail for prlimit64() inside a container if sys_resource is denied. for sure prlimit64() fails in 2 conditions: not root and no "cap_sys_resource" is configured for the binary (CAP_SYS_RESOURCE=+ep), which is not the case, and not root and ulimit for memlock is not unlimited, also not the case since corosync runs as root.
- i'm gonna test lxd defaults, since i was using vanilla lxc setup. intention is to check on sys_resource being default or not, and the impact of lacking sys_resource for root prlimit64() calls without memlock ulimit being unlimited if no sys_resource is set to container.
- will check anything else that might be stepping into our way.
Quick clarifications on next steps:
- corosync runs as root... so its unclear to me it would fail for prlimit64() inside a container if sys_resource is denied. for sure prlimit64() fails in 2 conditions: not root and no "cap_sys_resource" is configured for the binary (CAP_SYS_ RESOURCE= +ep), which is not the case, and not root and ulimit for memlock is not unlimited, also not the case since corosync runs as root.
- i'm gonna test lxd defaults, since i was using vanilla lxc setup. intention is to check on sys_resource being default or not, and the impact of lacking sys_resource for root prlimit64() calls without memlock ulimit being unlimited if no sys_resource is set to container.
- will check anything else that might be stepping into our way.