Check /proc/self/mountinfo.
/proc/self/mounts actually also shows the truth. I don't know why
'mount' is lying.
As for it being ro, I do see this as a step down. If you look
at /etc/apparmor.d/abstractions/lxc/container-base you see the
lengths the policy went to to allow writes only to the sysctls
which are safely namespaced (including /proc/sys/kernel/sem
but not any other file/dir beginning with that name). Doing
this with mounts would be too much.
If you use proc:rw you'll be allowed to do the write, but if
you're not using apparmor (and the default policy) then the
host will be vulnerable to sysctl resets from the container.
-serge
Quoting Dan Kegel (d...@kegel.com):
> Alas, I just ran into this again on a 14.04 system
> with lxc 1.1.3-0ubuntu1~ubuntu14.04.1~ppa1
>
> # echo 250 65536 32 32768 > /proc/sys/kernel/sem
> bash: /proc/sys/kernel/sem: Read-only file system
> # mount | grep proc
> proc on /proc type proc (rw,noexec,nosuid,nodev)
> proc on /proc/sys/net type proc (rw,noexec,nosuid,nodev,relatime)
> proc on /proc/sys type proc (rw,noexec,nosuid,nodev,relatime)
> ...
>
> What's going on there?
>
> - Dan
>
>
> On Mon, Jun 9, 2014 at 3:56 PM, Stéphane Graber <stgra...@ubuntu.com> wrote:
> > On Mon, Jun 09, 2014 at 10:53:01PM +0000, Serge Hallyn wrote:
> >> Hi Stéphane,
> >>
> >> will commit 773bd28258371ad0058ff946c5cf94419920ffdd be in 1.0.4?
> >
> > Yes, it's currently in stable-1.0 and so will be included in 1.0.4.
> >
> >>
> >> -serge
> >>
> >> Quoting Dan Kegel (d...@kegel.com):
> >> > I guess this is in your daily ppa builds, but hasn't been released yet,
> >> > as I just updated my system from beta trusty to release,
> >> > and this bit me again. Will the fix be in ubuntu 14.04.1?
> >> >
> >> > On Tue, Apr 29, 2014 at 2:41 PM, Dan Kegel <d...@kegel.com> wrote:
> >> > > The patch you sent seems to let the container set kernel.sem,
> >> > > and my build is back to green, thanks.
> >> > >
> >> > > You should probably ignore the problem in the outer system for now -
> >> > > If I run into it again on a clean machine I'll post again.
> >> > > - Dan
> >> > >
> >> > >
> >> > > On Tue, Apr 29, 2014 at 2:20 PM, Serge Hallyn
> >> > > <serge.hal...@ubuntu.com> wrote:
> >> > >> Quoting Dan Kegel (d...@kegel.com):
> >> > >>> This may be a jinxed machine. I installed it from trusty beta 2. I
> >> > >>> should probably try again with the released version.
> >> > >>>
> >> > >>> Inside the container:
> >> > >>>
> >> > >>> /proc/self/attr/current says lxc-container-default (enforce)
> >> > >>> There's no line in syslog, and I don't have an audit/audit.log.
> >> > >>> strace shows
> >> > >>> open("/proc/sys/kernel/sem", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1
> >> > >>> EACCESS
> >> > >>
> >> > >> Those make sense,
> >> > >>
> >> > >>> apt-cache policy apparmor says it's not installed.
> >> > >>> Installing it says it won't start inside a container.
> >> > >>>
> >> > >>> And all this in spite of the container having apparmor off, and
> >> > >>> being able to
> >> > >>
> >> > >> Are you sure? In what way did you turn it off? Because it is
> >> > >> definately on.
> >> > >>
> >> > >>> happily write to it there.
> >> > >>>
> >> > >>> I haven't been able to set that parameter in the container yet today
> >> > >>> :-(
> >> > >>>
> >> > >>> /var/log/upstart/procps.log in the container also shows
> >> > >>> sysctl: permission denied on key 'kernel.sem'
> >> > >>> (since I put that setting into /etc/sysctl.conf)
> >> > >>>
> >> > >>> And apparmor_status inside lxc fails with permission denied on
> >> > >>> /sys/kernel/security/apparmor/profiles
> >> > >>> (which doesn't seem too surprising, but what do I know...)
> >> > >>
> >> > >> Right, but in the last email you said that you also could not
> >> > >> set the sysctl from the host, not inside a container. That's
> >> > >> the one that worries me. Can you show the same things for a
> >> > >> root shell on the host?
> >> > >> _______________________________________________
> >> > >> lxc-users mailing list
> >> > >> lxc-users@lists.linuxcontainers.org
> >> > >> http://lists.linuxcontainers.org/listinfo/lxc-users
> >> > _______________________________________________
> >> > lxc-users mailing list
> >> > lxc-users@lists.linuxcontainers.org
> >> > http://lists.linuxcontainers.org/listinfo/lxc-users
> >
> > --
> > Stéphane Graber
> > Ubuntu developer
> > http://www.ubuntu.com
> >
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users@lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
