** Description changed: [Impact] - * Allow setting lower pid_max on per namespace basis, to support legacy + * Allow setting lower pid_max on per namespace basis, to support legacy workloads on modern hosts. - * Cherrypick patches from + * Cherrypick patches from https://gitlab.com/brauner/linux/-/commits/pid_max_namespacing/ [Test Plan] - * Launch lxd container and lower pid_max in the container by doing echo - 65536 > /path/to/proc/in/c0/mnt/namespace/proc/sys/kernel/pid_max from - outside of the container + Setup: - * Observe that pid_max is lowered inside the container relative the - host + cat <<EOF | sudo tee /var/snap/lxd/common/set-pid-max + #!/bin/sh + echo 65536 > "\${LXC_ROOTFS_MOUNT}"/proc/sys/kernel/pid_max + EOF + + sudo chmod +x /var/snap/lxd/common/set-pid-max + + echo "lxc.hook.mount=\$SNAP_COMMON/set-pid-max" | sudo tee + /var/snap/lxd/common/set-pid-max.config + + lxc launch -c raw.lxc="lxc.include = /var/snap/lxd/common/set-pid- + max.config" ubuntu-daily:jammy + + lxc launch -c raw.lxc="lxc.include = /var/snap/lxd/common/set-pid- + max.config" ubuntu-daily:jammy small-pid-container + + == Test Results == + Large value on the host: + + sudo sysctl -a | grep pid_max + kernel.pid_max = 4194304 + + Small value in the container: + lxc exec small-pid-container -- sysctl -a 2>/dev/null | grep pid_max + Expected value: kernel.pid_max = 65536 [Where problems could occur] - * These are out-of-the-tree sauce patches not yet applied upstream, + * These are out-of-the-tree sauce patches not yet applied upstream, there appear to be permissions issues inside user namespaces of being able to self-lower the limit without being cap_sysadmin in the parent namespace. Implementation upstream may change, with different permissions and semantics. By default, currently pid_max is very large, and thus it shouldn't be needed to lower that at all on the host.
** Description changed: [Impact] * Allow setting lower pid_max on per namespace basis, to support legacy workloads on modern hosts. * Cherrypick patches from https://gitlab.com/brauner/linux/-/commits/pid_max_namespacing/ [Test Plan] Setup: - cat <<EOF | sudo tee /var/snap/lxd/common/set-pid-max + cat <<EOF | sudo tee /var/snap/lxd/common/set-pid-max #!/bin/sh echo 65536 > "\${LXC_ROOTFS_MOUNT}"/proc/sys/kernel/pid_max EOF sudo chmod +x /var/snap/lxd/common/set-pid-max echo "lxc.hook.mount=\$SNAP_COMMON/set-pid-max" | sudo tee /var/snap/lxd/common/set-pid-max.config - - lxc launch -c raw.lxc="lxc.include = /var/snap/lxd/common/set-pid- - max.config" ubuntu-daily:jammy lxc launch -c raw.lxc="lxc.include = /var/snap/lxd/common/set-pid- max.config" ubuntu-daily:jammy small-pid-container == Test Results == Large value on the host: sudo sysctl -a | grep pid_max kernel.pid_max = 4194304 Small value in the container: lxc exec small-pid-container -- sysctl -a 2>/dev/null | grep pid_max Expected value: kernel.pid_max = 65536 - [Where problems could occur] * These are out-of-the-tree sauce patches not yet applied upstream, there appear to be permissions issues inside user namespaces of being able to self-lower the limit without being cap_sysadmin in the parent namespace. Implementation upstream may change, with different permissions and semantics. By default, currently pid_max is very large, and thus it shouldn't be needed to lower that at all on the host. ** Description changed: [Impact] * Allow setting lower pid_max on per namespace basis, to support legacy workloads on modern hosts. * Cherrypick patches from https://gitlab.com/brauner/linux/-/commits/pid_max_namespacing/ [Test Plan] Setup: cat <<EOF | sudo tee /var/snap/lxd/common/set-pid-max #!/bin/sh echo 65536 > "\${LXC_ROOTFS_MOUNT}"/proc/sys/kernel/pid_max EOF sudo chmod +x /var/snap/lxd/common/set-pid-max echo "lxc.hook.mount=\$SNAP_COMMON/set-pid-max" | sudo tee /var/snap/lxd/common/set-pid-max.config lxc launch -c raw.lxc="lxc.include = /var/snap/lxd/common/set-pid- max.config" ubuntu-daily:jammy small-pid-container == Test Results == Large value on the host: sudo sysctl -a | grep pid_max kernel.pid_max = 4194304 Small value in the container: lxc exec small-pid-container -- sysctl -a 2>/dev/null | grep pid_max - Expected value: kernel.pid_max = 65536 + kernel.pid_max = 65536 [Where problems could occur] * These are out-of-the-tree sauce patches not yet applied upstream, there appear to be permissions issues inside user namespaces of being able to self-lower the limit without being cap_sysadmin in the parent namespace. Implementation upstream may change, with different permissions and semantics. By default, currently pid_max is very large, and thus it shouldn't be needed to lower that at all on the host. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968886 Title: Provide pid_max namespace support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1968886/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
