On Tue, May 27, 2014 at 2:20 PM, Fajar A. Nugraha <l...@fajar.net> wrote:
> On Mon, May 26, 2014 at 10:22 PM, Michael H. Warfield <m...@wittsend.com>
> wrote:
>> Serge,
>>
>> On Thu, 2014-05-15 at 15:31 +0000, Serge Hallyn wrote:
>>> Quoting Michael H. Warfield (m...@wittsend.com):
>>> > On Thu, 2014-05-15 at 22:04 +0700, Fajar A. Nugraha wrote:
>>
>> [SNIP]
>>
>>> > > With the unconfied apparmor profile, it works as expected
>>> > >
>>> > >
>>> > > ####
>>> > > # lxc-ls -f f20
>>> > > NAME STATE IPV4 IPV6 AUTOSTART
>>> > > ------------------------------------------
>>> > > f20 RUNNING 10.0.3.205 - NO
>>> > > ####
>>> >
>>> > Nice catch! I wonder if there is some way I can automate that in the
>>
>>> What exactly is systemd doing at that spot? (I suppose I shoudl go look
>>> at git, but figure maybe you know offhand) Perhaps it's something we can
>>> add unconditionally to the apparmor profile.
>>
>> This came up again in another thread. It's interesting that,
>> apparently, this didn't cause the same problems with Fedora 19
>> containers, which was still systemd, but is causing a SEGV from systemd
>> with Fedora 20 containers. They've changed something.
>>
>> In any case, I did set that aa_profile option to unconfined on my Fedora
>> 20 host and it seems to simply be ignored. Any heartburn if I make that
>> the default for Fedora and CentOS containers by incorporating it into
>> the common config files?
>
>
> I had a chance to try it again and look at syslog this time. With the
> default apparmor profile, you'd get this:
>
> May 27 13:52:47 trusty kernel: [57784.287089] type=1400
> audit(1401173567.348:86): apparmor="DENIED" operation="mount"
> info="failed type match" error=-13 profile="lxc-container-default"
> name="/sys/fs/cgroup/systemd/" pid=3374 comm="systemd" fstype="cgroup"
> srcname="cgroup" flags="rw, nosuid, nodev, noexec"
>
> ... plus a bunch of other lines for /sys/fs/cgroup/*.
>
> Looking at current rules as base, I created this
>
> ####
> # cat lxc-fedora
> # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
> # will source all profiles under /etc/apparmor.d/lxc
>
> profile lxc-container-fedora flags=(attach_disconnected,mediate_deleted) {
> #include <abstractions/lxc/container-base>
>
> # the container may never be allowed to mount devpts. If it does, it
> # will remount the host's devpts. We could allow it to do it with
> # the newinstance option (but, right now, we don't).
> deny mount fstype=devpts,
>
> # Allow cgroup mounts needed by systemd
> mount fstype=cgroup -> /sys/fs/cgroup/**,
>
> # Deny writes to lxc cgroup
> deny /sys/fs/cgroup/**/lxc/** rwklx,
> }
> ####
On further test, this seems enough
###
# cat lxc-default-with-systemd
profile lxc-container-default-with-systemd
flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
deny mount fstype=devpts,
mount options=(none,name=systemd) fstype=cgroup -> /sys/fs/cgroup/systemd/,
}
###
During logout from console, there's a message like this
[root@f20 ~]# logout
Failed to mark scope session-c3.scope as abandoned : Stale file handle
console-getty.service holdoff time over, scheduling restart.
... but the login prompt displayed correctly aftewards anyway. Is
there something like "cgroup namespace", to prevent the container from
seeing the same systemd cgroup as the host?
--
Fajar
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
