5

I am trying to configure my Ubuntu 12.04 VPS (OpenVZ) to reboot when it runs out of memory. To do this I have added following lines to my "/etc/sysctl.conf" file. 

vm.panic_on_oom = 1
kernel.panic = 14

But when I run the configuration using the command "sudo sysctl -p" I get following errors.

error: permission denied on key 'vm.panic_on_oom'
error: permission denied on key 'kernel.panic'

I have tried running the same command as root and found the same error.

Can anyone please point out what am I doing wrong? or how can I fix this?

Thanks in advance.

Jan Hudec
  • 1,015
  • 7
  • 20
Jay Bhatt
  • 163
  • 1
  • 6

1 Answers1

7

OpenVZ is not a virtual machine, it is more like a container – in other words, there is only a single kernel running for both the host and all "VPS"es. This means a kernel panic would bring down the whole system, including every VPS hosted on it, and many kernel settings are shared between the host and all guests.

So you are not allowed to modify those settings because it doesn't make sense to do so.

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • Thanks. I understand now. But is there a way to just reboot my own VPS when OOM condition occurs? – Jay Bhatt Oct 13 '13 at 11:17
  • @grawity: does that mean that I shouldn't be modifying any of the settings in `sysctl.conf`. I am particularly asking this context of settings to disable source packet routing, disabling ICMP redirection messages, & other such settings(following this security article http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics) ? More specific question here http://serverfault.com/q/581798/64707 – Rajat Gupta Mar 13 '14 at 14:15
  • 1
    @user01: You can try; if OpenVZ doesn't support changing a certain setting per-container, it'll just return "permission denied". – u1686_grawity Mar 13 '14 at 14:18
  • yep I did tried & it returned `Permission denied` for some keys. So should I set the allowed values (leaving the ones that are not permitted). I mean, will they really be in effect as it is a shared kernel, so how come my setting be enforced on the shared kernel ? – Rajat Gupta Mar 13 '14 at 14:24
  • I think the only condition in which my settings should work would be if it changes something not shared. So it must be that not all of the settings in sysctl.conf are related to the kernel ? – Rajat Gupta Mar 13 '14 at 14:27
  • 1
    @user01: They're all kernel settings, but the kernel has support for putting certain things in "namespaces". (OpenVZ containers basically just add multiple namespaces for /proc, UIDs, network devices, etc. The mainline kernel already has namespace support too, used by LXC and Docker, though it hasn't reached OpenVZ level of functionality just yet.) E.g. each container has a different "root" user, and they all are different from the host's "root" user, despite all having UID 0. Similarly, network devices – and some network parameters – are also namespaced. – u1686_grawity Mar 13 '14 at 15:34
  • Very insightful! Thanks so much for explanation! – Rajat Gupta Mar 13 '14 at 16:01