BryanDavis has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/329702 )
Change subject: vagrant: Update LXC packages and apparmor conf for systemd
......................................................................
vagrant: Update LXC packages and apparmor conf for systemd
Update LXC and dependencies to support running containers using systemd init.
The base versions in Trusty will not work, but the trusty-backports
equivalents will. The apparmor profile for the LXC container is also updated
to include changes from upstream and a grant for mounting
/sys/fs/cgroup/systemd/.
Bug: T154294
Change-Id: Ib3a39530cdb4e2e1cf98b6a869a3d7d543f6f5a0
---
M modules/lxc/manifests/init.pp
M modules/vagrant/files/lxc/container-base
2 files changed, 70 insertions(+), 6 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/02/329702/1
diff --git a/modules/lxc/manifests/init.pp b/modules/lxc/manifests/init.pp
index b4ad416..b712cfe 100644
--- a/modules/lxc/manifests/init.pp
+++ b/modules/lxc/manifests/init.pp
@@ -9,10 +9,27 @@
class lxc(
$container_root = '/srv/lxc',
) {
- package { [
- 'lxc',
- 'lxc-templates',
+ # T154294: Running a jessie image in the container requires newer versions
+ # of LXC and it's dependencies than Trusty shipped with. Install the
+ # versions provided by trusty-backports instead.
+ $lxc_backports = [
'cgroup-lite',
+ 'liblxc1',
+ 'lxc',
+ 'lxc-common',
+ 'lxc-templates',
+ 'lxc1',
+ 'python3-lxc',
+ ]
+ apt::pin { $lxc_backports:
+ pin => 'release a=trusty-backports',
+ priority => 500,
+ }
+ package { $lxc_backports:
+ ensure => present,
+ }
+
+ package { [
'redir',
'bridge-utils',
]:
@@ -35,6 +52,5 @@
force => true,
}
}
-
}
diff --git a/modules/vagrant/files/lxc/container-base
b/modules/vagrant/files/lxc/container-base
index c16f742..e43addf 100644
--- a/modules/vagrant/files/lxc/container-base
+++ b/modules/vagrant/files/lxc/container-base
@@ -57,6 +57,7 @@
mount fstype=mqueue,
# allow fuse mounts everywhere
+ mount fstype=fuse,
mount fstype=fuse.*,
# allow NFS
@@ -68,6 +69,9 @@
# allow bind mount of /lib/init/fstab for lxcguest
mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
+ # deny access under /proc/bus to avoid e.g. messing with pci devices directly
+ deny @{PROC}/bus/** wklx,
+
# deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
deny @{PROC}/sys/fs/** wklx,
@@ -76,9 +80,10 @@
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
# block some other dangerous paths
- deny @{PROC}/sysrq-trigger rwklx,
- deny @{PROC}/mem rwklx,
+ deny @{PROC}/kcore rwklx,
deny @{PROC}/kmem rwklx,
+ deny @{PROC}/mem rwklx,
+ deny @{PROC}/sysrq-trigger rwklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
@@ -88,9 +93,52 @@
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
+ mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
mount options=(move) /sys/fs/cgroup/cgmanager/ ->
/sys/fs/cgroup/cgmanager.lower/,
+ mount options=(ro, nosuid, nodev, noexec, remount, strictatime) ->
/sys/fs/cgroup/,
+ # T154294 - allow systemd to be mounted rw
+ mount options=(rw, nosuid, nodev, noexec) -> /sys/fs/cgroup/systemd/,
+
+ # deny reads from debugfs
+ deny /sys/kernel/debug/{,**} rwklx,
+
+ # allow bind-mounts of anything except /proc, /sys and /dev
+ mount options=(rw,bind) /[^spd]*{,/**},
+ mount options=(rw,bind) /d[^e]*{,/**},
+ mount options=(rw,bind) /de[^v]*{,/**},
+ mount options=(rw,bind) /dev/.[^l]*{,/**},
+ mount options=(rw,bind) /dev/.l[^x]*{,/**},
+ mount options=(rw,bind) /dev/.lx[^c]*{,/**},
+ mount options=(rw,bind) /dev/.lxc?*{,/**},
+ mount options=(rw,bind) /dev/[^.]*{,/**},
+ mount options=(rw,bind) /dev?*{,/**},
+ mount options=(rw,bind) /p[^r]*{,/**},
+ mount options=(rw,bind) /pr[^o]*{,/**},
+ mount options=(rw,bind) /pro[^c]*{,/**},
+ mount options=(rw,bind) /proc?*{,/**},
+ mount options=(rw,bind) /s[^y]*{,/**},
+ mount options=(rw,bind) /sy[^s]*{,/**},
+ mount options=(rw,bind) /sys?*{,/**},
+
+ # allow moving mounts except for /proc, /sys and /dev
+ mount options=(rw,move) /[^spd]*{,/**},
+ mount options=(rw,move) /d[^e]*{,/**},
+ mount options=(rw,move) /de[^v]*{,/**},
+ mount options=(rw,move) /dev/.[^l]*{,/**},
+ mount options=(rw,move) /dev/.l[^x]*{,/**},
+ mount options=(rw,move) /dev/.lx[^c]*{,/**},
+ mount options=(rw,move) /dev/.lxc?*{,/**},
+ mount options=(rw,move) /dev/[^.]*{,/**},
+ mount options=(rw,move) /dev?*{,/**},
+ mount options=(rw,move) /p[^r]*{,/**},
+ mount options=(rw,move) /pr[^o]*{,/**},
+ mount options=(rw,move) /pro[^c]*{,/**},
+ mount options=(rw,move) /proc?*{,/**},
+ mount options=(rw,move) /s[^y]*{,/**},
+ mount options=(rw,move) /sy[^s]*{,/**},
+ mount options=(rw,move) /sys?*{,/**},
# generated by: lxc-generate-aa-rules.py container-rules.base
deny /proc/sys/[^kn]*{,/**} wklx,
--
To view, visit https://gerrit.wikimedia.org/r/329702
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib3a39530cdb4e2e1cf98b6a869a3d7d543f6f5a0
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BryanDavis <bda...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
