On Tue, 2014-05-27 at 15:33 +0700, Fajar A. Nugraha wrote:
> On Tue, May 27, 2014 at 2:20 PM, Fajar A. Nugraha <l...@fajar.net> wrote:
> > On Mon, May 26, 2014 at 10:22 PM, Michael H. Warfield <m...@wittsend.com>
> > wrote:
> >> Serge,
> >>
> >> On Thu, 2014-05-15 at 15:31 +0000, Serge Hallyn wrote:
> >>> Quoting Michael H. Warfield (m...@wittsend.com):
> >>> > On Thu, 2014-05-15 at 22:04 +0700, Fajar A. Nugraha wrote:
> >>
> >> [SNIP]
> >>
> >>> > > With the unconfied apparmor profile, it works as expected
> >>> > >
> >>> > >
> >>> > > ####
> >>> > > # lxc-ls -f f20
> >>> > > NAME STATE IPV4 IPV6 AUTOSTART
> >>> > > ------------------------------------------
> >>> > > f20 RUNNING 10.0.3.205 - NO
> >>> > > ####
> >>> >
> >>> > Nice catch! I wonder if there is some way I can automate that in the
> >>
> >>> What exactly is systemd doing at that spot? (I suppose I shoudl go look
> >>> at git, but figure maybe you know offhand) Perhaps it's something we can
> >>> add unconditionally to the apparmor profile.
> >>
> >> This came up again in another thread. It's interesting that,
> >> apparently, this didn't cause the same problems with Fedora 19
> >> containers, which was still systemd, but is causing a SEGV from systemd
> >> with Fedora 20 containers. They've changed something.
> >>
> >> In any case, I did set that aa_profile option to unconfined on my Fedora
> >> 20 host and it seems to simply be ignored. Any heartburn if I make that
> >> the default for Fedora and CentOS containers by incorporating it into
> >> the common config files?
> >
> >
> > I had a chance to try it again and look at syslog this time. With the
> > default apparmor profile, you'd get this:
> >
> > May 27 13:52:47 trusty kernel: [57784.287089] type=1400
> > audit(1401173567.348:86): apparmor="DENIED" operation="mount"
> > info="failed type match" error=-13 profile="lxc-container-default"
> > name="/sys/fs/cgroup/systemd/" pid=3374 comm="systemd" fstype="cgroup"
> > srcname="cgroup" flags="rw, nosuid, nodev, noexec"
> >
> > ... plus a bunch of other lines for /sys/fs/cgroup/*.
> >
> > Looking at current rules as base, I created this
> >
> > ####
> > # cat lxc-fedora
> > # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
> > # will source all profiles under /etc/apparmor.d/lxc
> >
> > profile lxc-container-fedora flags=(attach_disconnected,mediate_deleted) {
> > #include <abstractions/lxc/container-base>
> >
> > # the container may never be allowed to mount devpts. If it does, it
> > # will remount the host's devpts. We could allow it to do it with
> > # the newinstance option (but, right now, we don't).
> > deny mount fstype=devpts,
> >
> > # Allow cgroup mounts needed by systemd
> > mount fstype=cgroup -> /sys/fs/cgroup/**,
> >
> > # Deny writes to lxc cgroup
> > deny /sys/fs/cgroup/**/lxc/** rwklx,
> > }
> > ####
> On further test, this seems enough
> ###
> # cat lxc-default-with-systemd
> profile lxc-container-default-with-systemd
> flags=(attach_disconnected,mediate_deleted) {
> #include <abstractions/lxc/container-base>
> deny mount fstype=devpts,
> mount options=(none,name=systemd) fstype=cgroup -> /sys/fs/cgroup/systemd/,
> }
> ###
This sounds excellent. It sounds like this should be incorporated into
the lxc package for any host distros supporting app armour and we could
then add that default to all the systemd based containers such as
Fedora, Suse, eventually Oracle, and eventually CentOS.
I agree it does seem to make more sense to use a restrictive profile
that covers the minimal set of requirements as opposed to unconfined.
That should be submitted as a patch over on the lxc-devel list then, for
Serge and Stéphane to review. I see where the file would need to be
added in the config/apparmour/profiles directory but I'm not familiar
enough with the packaging for Ubuntu to know what changes would be
needed to add them there.
I could then add that new default to the {fedora|centos}.common.conf
config files for those containers. Since it appears that the
lxc.aa_profile configuration parameter appears to be simply ignored on
systems which don't have apparmour or have it disabled, it does no harm
to simply set it and forget it across the board.
> During logout from console, there's a message like this
> [root@f20 ~]# logout
> Failed to mark scope session-c3.scope as abandoned : Stale file handle
> console-getty.service holdoff time over, scheduling restart.
> ... but the login prompt displayed correctly aftewards anyway. Is
> there something like "cgroup namespace", to prevent the container from
> seeing the same systemd cgroup as the host?
Yeah, I think that's cosmetic, maybe just a systemd service artifact.
> --
> Fajar
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
signature.asc
Description: This is a digitally signed message part
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
