[Podman] Re: mqueue msg_max in rootless container

On 5/20/21 16:39, Michael Ivanov wrote: > Yes!!! > > --ipc host did it thanks a lot! > Option with nsenter looks more preferrable to me, but as I understand > I need first to start the container up, then run nsenter at host to > change the mqueue settings and then somehow signal the container tht > it can proceed with actual application. Is it possible to run nsenter > during image build with buildah - I guess not? > > Best regards and thanks again! I have opened an internal discussion on this with the User Namespace maintainer of the kernel.  We will see if anything comes of it. > > On 20.05.2021 23:10, Giuseppe Scrivano wrote: >> /proc/sys/fs/mqueue/msg_max is IPC namespaced but it is always owned by >> root in the initial user namespace.  A rootless container doesn't have >> enough privileges to write to it. >> >> You can verify it with: >> >> $ podman run --rm fedora stat /proc/sys/fs/mqueue/msg_max >>    File: /proc/sys/fs/mqueue/msg_max >>    Size: 0             Blocks: 0          IO Block: 1024 regular >> empty file >> Device: 7bh/123d    Inode: 3634162     Links: 1 >> Access: (0644/-rw-r--r--)  Uid: (65534/  nobody)   Gid: (65534/  >> nobody) >> >> So given the current limitation in the kernel, you have two possible >> choices to workaround it: >> >> 1) run with --ipc host >> 2) get some help from root in the host: >> >> $ sudo nsenter -i -t $CONTAINER_PID sh -c 'echo $NEW_MSG_MAX > >> /proc/sys/fs/mqueue/msg_max' >> >> Giuseppe >> >> >> Michael Ivanov<ivans(a)isle.spb.ru> writes: >> >>> Yes it is 256: >>> >>> island:backend [master]> cat  /proc/sys/fs/mqueue/msg_max >>> 256 >>> >>> On 20.05.2021 21:00, Daniel Walsh wrote: >>> >>>   On 5/20/21 08:29, Michael Ivanov wrote: >>> >>>   Hallo! >>> >>>   I'm trying to run my application in podman rootless container and >>> I stumble >>>   on following problem: my program needs >>> /proc/sys/fs/mqueue/msg_max to be at >>>   least 256, but in running container this value is just 10. When I >>> try to >>>   specify this parameter while running the image (--sysctl >>> 'fs.mqueue.msg_max=256') >>>   I get the following error: >>> >>>      Error: open /proc/sys/fs/mqueue/msg_max: Permission denied: >>> OCI permission denied >>> >>>   and container is not created. >>> >>>   My host where container is being run has this parameter set to >>> 256. How can I >>>   expose current host setting for msg_max to my container? >>> >>>   Best regards, >>> >>>   When you login to your user account is is et to 256? >>> >>>   $ cat  /proc/sys/fs/mqueue/msg_max >>>   10 >>>   _______________________________________________ >>>   Podman mailing list --podman(a)lists.podman.io   To unsubscribe >>> send an email topodman-leave(a)lists.podman.io >> _______________________________________________ >> Podman mailing list --podman(a)lists.podman.io >> To unsubscribe send an email topodman-leave(a)lists.podman.io > > > -- >   \   / |                       | >   (OvO) |  Михаил Иванов                    | >   (^^^) |      Тел.:    +7(911) 223-1300    | >    \^/  | E-mail:ivans@isle.spb.ru    | >    ^ ^  |                                   |