Re: jessie and unpriviledged lxc containers
On 05/03/2015 08:43 AM, Johannes Graumann wrote:
> I'm playing with unpriviledged lxc containers according to
> http://tinyurl.com/kvzxlvj on jessie. In order to lxc-create as a non-root
> user I have to do
>
> PROMPT> echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children
> PROMPT> echo 1 > /proc/sys/kernel/unprivileged_userns_clone
>
> How can I make those setting persistent such that they are automatically
> (re)set upon reboot?
The second one is trivial: create a file /etc/sysctl.d/10-unpriv-lxc
with the following contents:
kernel.unprivileged_userns_clone = 1
Then on boot this setting will be automatically applied.
If you want to activate clone_children for the cgroup automatically at
boot, you kind-of need to do that manually. I'm going to assume you're
using systemd as init system on the host (because it's the default and
you didn't mention anything else [1]). The easiest way is to simply
create a file /etc/systemd/system/setup-clone-children.service:
[Unit]
Description=Setup cpuset cgroup clone_children for LXC
DefaultDependencies=no
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c "echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children"
StandardOutput=null
RemainAfterExit=yes
[Install]
WantedBy=sysinit.target
(the ExecStart= is one line, my mail client just likes to wrap)
Then you can just do
systemctl enable setup-clone-children.service
and the next time you reboot, the setting will be applied.
Hope that helps.
Christian
[1] If you're using another init system, you have to first tell us how
you mount the cgroup hierarchies before we can tell you how you can best
adjust that setting automatically.
Reply to: