Lxc: restricting container view of dmesg

From lxadm | Linux administration tips, tutorials, HOWTOs and articles
Jump to: navigation, search

If you don’t like the idea of your lxc container to view dmesg output, which includes host’s data, here is a quick tip.

Just enable this on the host:

echo 1 > /proc/sys/kernel/dmesg_restrict

Or, to have the value set permanently across reboots, add this to /etc/sysctl.conf (don’t forget to run “sysctl -p” to parse s/etc/sysctl.conf and apply the values):

kernel.dmesg_restrict=1

The setting will affect all non-root users on the host system, and all users in lxc containers, including root.

Try what happens in your lxc container:

root@lxc:~# dmesg
dmesg: klogctl failed: Operation not permitted


If it's your new deployment, please note that it might be just better to use LXD instead, which enables this by default.