Re: jessie and unpriviledged lxc containers
Christian Seiler wrote:
> On 05/03/2015 08:43 AM, Johannes Graumann wrote:
>> I'm playing with unpriviledged lxc containers according to
>> http://tinyurl.com/kvzxlvj on jessie. In order to lxc-create as a
>> non-root user I have to do
>> 
>> PROMPT> echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children
>> PROMPT> echo 1 > /proc/sys/kernel/unprivileged_userns_clone
>> 
>> How can I make those setting persistent such that they are automatically
>> (re)set upon reboot?
> 
> The second one is trivial: create a file /etc/sysctl.d/10-unpriv-lxc
> with the following contents:
> 
> kernel.unprivileged_userns_clone = 1
> 
> Then on boot this setting will be automatically applied.
> 
> If you want to activate clone_children for the cgroup automatically at
> boot, you kind-of need to do that manually. I'm going to assume you're
> using systemd as init system on the host (because it's the default and
> you didn't mention anything else [1]). The easiest way is to simply
> create a file /etc/systemd/system/setup-clone-children.service:
> 
> [Unit]
> Description=Setup cpuset cgroup clone_children for LXC
> DefaultDependencies=no
> Conflicts=shutdown.target
> Before=sysinit.target shutdown.target
> 
> [Service]
> Type=oneshot
> ExecStart=/bin/sh -c "echo 1 >
> /sys/fs/cgroup/cpuset/cgroup.clone_children" StandardOutput=null
> RemainAfterExit=yes
> 
> [Install]
> WantedBy=sysinit.target
> 
> (the ExecStart= is one line, my mail client just likes to wrap)
> 
> Then you can just do
> 
> systemctl enable setup-clone-children.service
> 
> and the next time you reboot, the setting will be applied.
> 
> Hope that helps.
Many thanks. Implemented and awaiting testing.
Joh
Reply to: