[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-user
Subject: Re: jessie and unpriviledged lxc containers
From: Johannes Graumann <johannes_graumann () web ! de>
Date: 2015-05-03 12:54:12
Message-ID: mi55pi$v6u$1 () ger ! gmane ! org
[Download RAW message or body]
Christian Seiler wrote:
> On 05/03/2015 08:43 AM, Johannes Graumann wrote:
>> I'm playing with unpriviledged lxc containers according to
>> http://tinyurl.com/kvzxlvj on jessie. In order to lxc-create as a
>> non-root user I have to do
>>
>> PROMPT> echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children
>> PROMPT> echo 1 > /proc/sys/kernel/unprivileged_userns_clone
>>
>> How can I make those setting persistent such that they are automatically
>> (re)set upon reboot?
>
> The second one is trivial: create a file /etc/sysctl.d/10-unpriv-lxc
> with the following contents:
>
> kernel.unprivileged_userns_clone = 1
>
> Then on boot this setting will be automatically applied.
>
> If you want to activate clone_children for the cgroup automatically at
> boot, you kind-of need to do that manually. I'm going to assume you're
> using systemd as init system on the host (because it's the default and
> you didn't mention anything else [1]). The easiest way is to simply
> create a file /etc/systemd/system/setup-clone-children.service:
>
> [Unit]
> Description=Setup cpuset cgroup clone_children for LXC
> DefaultDependencies=no
> Conflicts=shutdown.target
> Before=sysinit.target shutdown.target
>
> [Service]
> Type=oneshot
> ExecStart=/bin/sh -c "echo 1 >
> /sys/fs/cgroup/cpuset/cgroup.clone_children" StandardOutput=null
> RemainAfterExit=yes
>
> [Install]
> WantedBy=sysinit.target
>
> (the ExecStart= is one line, my mail client just likes to wrap)
>
> Then you can just do
>
> systemctl enable setup-clone-children.service
>
> and the next time you reboot, the setting will be applied.
>
> Hope that helps.
Many thanks. Implemented and awaiting testing.
Joh
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: https://lists.debian.org/mi55pi$v6u$1@ger.gmane.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic