如何在不重新安装的情况下更改限制?

如何在不重新安装的情况下更改限制?

我最近在我的其中一台服务器上安装了 snap lxd。最初它运行良好。现在我需要在我的 lxd 容器上安装 gitlab-ce,这需要 sysctl 访问权限。但 snap 文档说我只能在安装时更改限制选项。有没有办法在不重新安装的情况下更改限制,因为其他容器已经在运行生产网站。

更新。

事实证明,问题与 snap confinement 无关。apt lxd 上也发生了同样的“只读文件系统”错误。

尝试过的版本

ubuntu 20.04 with snap lxd 4.0.4, gitlab-ce 13.8
ubuntu 16.04 with apt lxd 3.0.3, gitlab-ce 13.8

这两个容器security.privileged=true如果我使用security.privileged=false我会收到更糟糕的错误日志。

还在主机上尝试了 gitlab 推荐的 sysctl 配置。

kernel.sem = 250 32000 32 262
kernel.shmall = 4194304
kernel.shmmax = 17179869184
net.core.somaxconn = 1024

错误日志:

There was an error running gitlab-ctl reconfigure:

Multiple failures occurred:
* Mixlib::ShellOut::ShellCommandFailed occurred in Chef Infra Client run: gitlab_sysctl[kernel.sem] (postgresql::enable line 71) had an 
error: Mixlib::ShellOut::ShellCommandFailed: execute[load sysctl conf kernel.sem] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/packag
e/resources/gitlab_sysctl.rb line 48) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but receive
d '255'
---- Begin output of sysctl -e -p /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.sem.conf ----
STDOUT: 
STDERR: sysctl: setting key "kernel.sem": Read-only file system
---- End output of sysctl -e -p /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.sem.conf ----
Ran sysctl -e -p /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.sem.conf returned 255
* Mixlib::ShellOut::ShellCommandFailed occurred in delayed notification: execute[reload all sysctl conf] (package::sysctl line 18) had a
n error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '255'
---- Begin output of sysctl -e --system ----
STDOUT: * Applying /etc/sysctl.d/10-console-messages.conf ...
* Applying /etc/sysctl.d/10-ipv6-privacy.conf ...
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
* Applying /etc/sysctl.d/10-kernel-hardening.conf ...
* Applying /etc/sysctl.d/10-link-restrictions.conf ...
* Applying /etc/sysctl.d/10-magic-sysrq.conf ...
* Applying /etc/sysctl.d/10-network-security.conf ...
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
* Applying /etc/sysctl.d/10-ptrace.conf ...
* Applying /etc/sysctl.d/10-zeropage.conf ...
* Applying /usr/lib/sysctl.d/50-default.conf ...
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.ping_group_range = 0 2147483647
* Applying /usr/lib/sysctl.d/50-pid-max.conf ...
* Applying /etc/sysctl.d/90-omnibus-gitlab-kernel.sem.conf ...
* Applying /etc/sysctl.d/90-omnibus-gitlab-kernel.shmall.conf ...
* Applying /etc/sysctl.d/90-omnibus-gitlab-kernel.shmmax.conf ...
* Applying /etc/sysctl.d/99-cloudimg-ipv6.conf ...
net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.default.use_tempaddr = 0
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /usr/lib/sysctl.d/protect-links.conf ...
* Applying /etc/sysctl.conf ...
STDERR: sysctl: setting key "kernel.printk": Read-only file system
sysctl: setting key "kernel.kptr_restrict": Read-only file system
sysctl: setting key "fs.protected_hardlinks": Read-only file system
sysctl: setting key "fs.protected_symlinks": Read-only file system
sysctl: setting key "kernel.sysrq": Read-only file system
sysctl: setting key "kernel.yama.ptrace_scope": Read-only file system
sysctl: setting key "vm.mmap_min_addr": Read-only file system
sysctl: setting key "net.ipv4.conf.all.promote_secondaries": Invalid argument
sysctl: setting key "fs.protected_regular": Read-only file system
sysctl: setting key "fs.protected_fifos": Read-only file system
sysctl: setting key "kernel.pid_max": Read-only file system
sysctl: setting key "kernel.sem": Read-only file system
sysctl: setting key "kernel.shmall": Read-only file system
sysctl: setting key "kernel.shmmax": Read-only file system
sysctl: setting key "fs.protected_fifos": Read-only file system
sysctl: setting key "fs.protected_hardlinks": Read-only file system
sysctl: setting key "fs.protected_regular": Read-only file system
sysctl: setting key "fs.protected_symlinks": Read-only file system
---- End output of sysctl -e --system ----
Ran sysctl -e --system returned 255

答案1

虽然您无法从容器内部更改内核参数,但您可以在主机上设置这些值,并且它们将在容器中可用。然后,由 gitlab 安装程序决定,如果发现它们已经具有正确的值,则不会尝试设置它们。

答案2

当您在容器上更改 security.privileged 时,它直到容器重新启动后才会生效。

无需重建容器..

lxc restart 就可以了

相关内容