Quoting Fajar A. Nugraha (l...@fajar.net): > (changed subject to match content) > > On Tue, May 27, 2014 at 11:10 PM, Michael H. Warfield <m...@wittsend.com> > wrote: > > On Tue, 2014-05-27 at 15:33 +0700, Fajar A. Nugraha wrote: > >> On further test, this seems enough > > > >> ### > >> # cat lxc-default-with-systemd > >> profile lxc-container-default-with-systemd > >> flags=(attach_disconnected,mediate_deleted) { > >> #include <abstractions/lxc/container-base> > >> deny mount fstype=devpts, > >> mount options=(none,name=systemd) fstype=cgroup -> > >> /sys/fs/cgroup/systemd/, > >> } > >> ### > > > > This sounds excellent. It sounds like this should be incorporated into > > the lxc package for any host distros supporting app armour and we could > > then add that default to all the systemd based containers such as > > Fedora, Suse, eventually Oracle, and eventually CentOS. > > > > I agree it does seem to make more sense to use a restrictive profile > > that covers the minimal set of requirements as opposed to unconfined. > > > > That should be submitted as a patch over on the lxc-devel list then, for > > Serge and Stéphane to review. I see where the file would need to be > > added in the config/apparmour/profiles directory but I'm not familiar > > enough with the packaging for Ubuntu to know what changes would be > > needed to add them there. > > I'll let Serge comment on this one. > > > As a side note, I've tested opensuse 13.1 (using the squashfs root > from rescue ISO) and it has two additional complains with the previous > apparmor profile: > > May 27 17:12:50 trusty kernel: [66563.219898] type=1400 > audit(1401185570.578:9249): apparmor="DENIED" operation="mount" > info="failed type match" error=-13 > profile="lxc-container-default-with-systemd" name="/var/run/" > pid=30648 comm="mount" srcname="/run/" flags="rw, bind"
Hm. In Debian/Ubuntu this is done with a /var/run -> /run symlink... > May 27 17:21:20 trusty kernel: [67073.932892] type=1400 > audit(1401186080.906:9846): apparmor="DENIED" operation="mount" > info="failed flags match" error=-13 profile="lxc-container-opensuse" > name="/proc/" pid=4158 comm="mount" flags="rw, remount" > > the second one (/proc) is pretty harmless, so I ignored it. The first > one (/var/run) produced lots of errors > > [FAILED] Failed to mount Runtime Directory. > See 'systemctl status var-run.mount' for details. > [DEPEND] Dependency failed for System Logging Service. > Mounting Runtime Directory... > > > ... and made syslog (and possibly other services) failed to start, so > for opensuse I had to adjust the profile even further > > ### > profile lxc-container-opensuse flags=(attach_disconnected,mediate_deleted) { > #include <abstractions/lxc/container-base> > deny mount fstype=devpts, > mount options=(none,name=systemd) fstype=cgroup -> /sys/fs/cgroup/systemd/, > mount options=(rw,bind), > } > ### > > Bind mounts inside a container should be safe, right? While there are > still some problems with opensuse container (e.g. shutdown takes a > long time on "systemctl stop network@eth0.service"), it is at least > usable for testing purposes. would systemd be happy with it being mounted by lxc using an lxc.mount.entry? I think that would be preferable to relaxing the apparmor policy. i.e. lxc.mount.entry = /sys/fs/cgroup/systemd sys/fs/cgroup/systemd none bind,create=dir,optional 0 0 Or, of course, you can just do lxc.mount.auto = cgroup:mixed which should give you /sys/fs/cgroup/systemd if it exists on the host, and in a safer way. Now if /sys/fs/cgroup/systemd does not exist on the host, these won't work... As you say the bind mounts should be ok - although some of the mount options stuff doesn't work right in many apparmor parsers. So we'd want to make sure that 'mount options=(rw,bind)' does in fact only allow that, instead of suddely allowing all mounts, as I've unfortunately seen happen when I tried to selectively allow some other mount options. -serge _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users