Alexandros Kosiaris has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/329702 )
Change subject: vagrant: Update LXC packages and apparmor conf for systemd ...................................................................... vagrant: Update LXC packages and apparmor conf for systemd Update LXC and dependencies to support running containers using systemd init. The base versions in Trusty will not work, but the trusty-backports equivalents will. The apparmor profile for the LXC container is also updated to include changes from upstream and a grant for mounting /sys/fs/cgroup/systemd/. Bug: T154294 Change-Id: Ib3a39530cdb4e2e1cf98b6a869a3d7d543f6f5a0 --- M modules/lxc/manifests/init.pp M modules/vagrant/files/lxc/container-base 2 files changed, 70 insertions(+), 6 deletions(-) Approvals: Alexandros Kosiaris: Verified; Looks good to me, approved diff --git a/modules/lxc/manifests/init.pp b/modules/lxc/manifests/init.pp index b4ad416..b712cfe 100644 --- a/modules/lxc/manifests/init.pp +++ b/modules/lxc/manifests/init.pp @@ -9,10 +9,27 @@ class lxc( $container_root = '/srv/lxc', ) { - package { [ - 'lxc', - 'lxc-templates', + # T154294: Running a jessie image in the container requires newer versions + # of LXC and it's dependencies than Trusty shipped with. Install the + # versions provided by trusty-backports instead. + $lxc_backports = [ 'cgroup-lite', + 'liblxc1', + 'lxc', + 'lxc-common', + 'lxc-templates', + 'lxc1', + 'python3-lxc', + ] + apt::pin { $lxc_backports: + pin => 'release a=trusty-backports', + priority => 500, + } + package { $lxc_backports: + ensure => present, + } + + package { [ 'redir', 'bridge-utils', ]: @@ -35,6 +52,5 @@ force => true, } } - } diff --git a/modules/vagrant/files/lxc/container-base b/modules/vagrant/files/lxc/container-base index c16f742..e43addf 100644 --- a/modules/vagrant/files/lxc/container-base +++ b/modules/vagrant/files/lxc/container-base @@ -57,6 +57,7 @@ mount fstype=mqueue, # allow fuse mounts everywhere + mount fstype=fuse, mount fstype=fuse.*, # allow NFS @@ -68,6 +69,9 @@ # allow bind mount of /lib/init/fstab for lxcguest mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/, + # deny access under /proc/bus to avoid e.g. messing with pci devices directly + deny @{PROC}/bus/** wklx, + # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, deny @{PROC}/sys/fs/** wklx, @@ -76,9 +80,10 @@ mount fstype=efivarfs -> /sys/firmware/efi/efivars/, # block some other dangerous paths - deny @{PROC}/sysrq-trigger rwklx, - deny @{PROC}/mem rwklx, + deny @{PROC}/kcore rwklx, deny @{PROC}/kmem rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/sysrq-trigger rwklx, # deny writes in /sys except for /sys/fs/cgroup, also allow # fusectl, securityfs and debugfs to be mounted there (read-only) @@ -88,9 +93,52 @@ deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, mount fstype=proc -> /proc/, mount fstype=sysfs -> /sys/, + mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, + mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/, + # T154294 - allow systemd to be mounted rw + mount options=(rw, nosuid, nodev, noexec) -> /sys/fs/cgroup/systemd/, + + # deny reads from debugfs + deny /sys/kernel/debug/{,**} rwklx, + + # allow bind-mounts of anything except /proc, /sys and /dev + mount options=(rw,bind) /[^spd]*{,/**}, + mount options=(rw,bind) /d[^e]*{,/**}, + mount options=(rw,bind) /de[^v]*{,/**}, + mount options=(rw,bind) /dev/.[^l]*{,/**}, + mount options=(rw,bind) /dev/.l[^x]*{,/**}, + mount options=(rw,bind) /dev/.lx[^c]*{,/**}, + mount options=(rw,bind) /dev/.lxc?*{,/**}, + mount options=(rw,bind) /dev/[^.]*{,/**}, + mount options=(rw,bind) /dev?*{,/**}, + mount options=(rw,bind) /p[^r]*{,/**}, + mount options=(rw,bind) /pr[^o]*{,/**}, + mount options=(rw,bind) /pro[^c]*{,/**}, + mount options=(rw,bind) /proc?*{,/**}, + mount options=(rw,bind) /s[^y]*{,/**}, + mount options=(rw,bind) /sy[^s]*{,/**}, + mount options=(rw,bind) /sys?*{,/**}, + + # allow moving mounts except for /proc, /sys and /dev + mount options=(rw,move) /[^spd]*{,/**}, + mount options=(rw,move) /d[^e]*{,/**}, + mount options=(rw,move) /de[^v]*{,/**}, + mount options=(rw,move) /dev/.[^l]*{,/**}, + mount options=(rw,move) /dev/.l[^x]*{,/**}, + mount options=(rw,move) /dev/.lx[^c]*{,/**}, + mount options=(rw,move) /dev/.lxc?*{,/**}, + mount options=(rw,move) /dev/[^.]*{,/**}, + mount options=(rw,move) /dev?*{,/**}, + mount options=(rw,move) /p[^r]*{,/**}, + mount options=(rw,move) /pr[^o]*{,/**}, + mount options=(rw,move) /pro[^c]*{,/**}, + mount options=(rw,move) /proc?*{,/**}, + mount options=(rw,move) /s[^y]*{,/**}, + mount options=(rw,move) /sy[^s]*{,/**}, + mount options=(rw,move) /sys?*{,/**}, # generated by: lxc-generate-aa-rules.py container-rules.base deny /proc/sys/[^kn]*{,/**} wklx, -- To view, visit https://gerrit.wikimedia.org/r/329702 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ib3a39530cdb4e2e1cf98b6a869a3d7d543f6f5a0 Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: BryanDavis <bda...@wikimedia.org> Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: Madhuvishy <mviswanat...@wikimedia.org> Gerrit-Reviewer: Yuvipanda <yuvipa...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits