Stefan Hartmann
unread,Jul 1, 2021, 11:10:06 PM7/1/21Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to lxc-...@lists.linuxcontainers.org
Hi,
I observed a changed behaviour in LXC and have no clue where to go further.
# System 1; LXC 4.0.5, uname Linux LESPLUS 5.4.111-0-lts #1-Alpine SMP
Mon, 12 Apr 2021 16:11:34 UTC x86_64 Linux
I am running Alpine Linux 3.12.7 physically on an x86_64 with
lxc-4.0.5-r0 as a virtualization host.
On 4.0.5 LXC-containers running I can adjust eg root@BEOWULF:/#sysctl -w
net.ipv4.conf.eth0.log_martians=1.
4.0.5: root@BEOWULF:/# mount
...
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sys/net type proc (rw,nosuid,nodev,noexec,relatime) <--<<
proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)
...
HOST with 4.0.5: lxc-info -n BEOWULF -c lxc.mount.auto
lxc.mount.auto = proc:mixed sys:rw cgroup:mixed
(same as in 4.0.6)
# System 2; LXC 4.0.6, uname Linux LESPLUS2 5.10.39-0-lts #1-Alpine SMP
Sun, 30 May 2021 18:17:12 UTC x86_64 Linux
I set up a second newer system on similar hardware with Alpine 3.13.5
and lxc lxc-4.0.6-r2
On this system if I try eg root@BEOWULF:/# sysctl -w
net.ipv4.conf.eth0.log_martians=1
sysctl: setting key "net.ipv4.conf.eth0.log_martians": Read-only file system
4.0.6: root@BEOWULF:/# mount
...
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)
...
HOST with 4.0.6: lxc-info -n BEOWULF -c lxc.mount.auto
lxc.mount.auto = proc:mixed sys:rw cgroup:mixed
The system config on both hosts is the same, also the container config.
A diff on /usr/share/lxc/config/* between the two hosts shows no difference.
I want to modify some network settings eg run nftables on the new 4.0.6
system as it is possible on the 4.0.5 (i am running unprivileged
containers).
Can someone put my in the right direction?
I assume, there are defaults in lxc changed?
Or is this a kernel behaviour change?
Where can I find a changelog explaining this? git?
Can I adjust to the old behaviour with lxc.mount.auto=???
Are there security concerns?
Also on the 4.0.6 lxc there are many cgroup mounts inside the container.
Is this necessary / makes sense when I am not using nested containers.
Can I disable this?
--
Thanks
Stefan Hartmann