[lxc-devel] [PATCH] Add a nesting.conf which can be included to support nesting containers

Serge Hallyn serge.hallyn at ubuntu.com
Thu Sep 3 20:19:26 UTC 2015


Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Thu, Sep 03, 2015 at 08:11:22PM +0000, Serge Hallyn wrote:
> > Newer kernels have added a new restriction:  if /proc or /sys on the
> > host has files or non-empty directories which are over-mounted, and
> > there is no /proc which fully visible, then it assumes there is a
> > "security" reason for this.  It prevents anyone in a non-initial user
> > namespace from creating a new proc or sysfs mount.
> > 
> > To work around this, this patch adds a new 'nesting.conf' which can be
> > lxc.include'd from a container configuration file.  It adds a
> > non-overmounted mount of /proc and /sys under /dev/.lxc, so that the
> > kernel can see that we're not trying to *hide* things like /proc/uptime.
> > and /sys/devices/virtual/net.  If the host adds this to the config file
> > for container w1, then container w1 will support unprivileged child
> > containers.
> > 
> > The nesting.conf file also sets the apparmor profile to the with-nesting
> > variant, since that is required anyway.  This actually means that
> > supporting nesting isn't really more work than it used to be, just
> > different.  Instead of adding
> > 
> > lxc.aa_profile = lxc-container-default-with-nesting
> > 
> > you now just need to
> > 
> > lxc.include = /usr/share/lxc/config/nesting.conf
> > 
> > (Look, fewer characters :)
> > 
> > Finally, in order to maintain the current apparmor protections on
> > proc and sys, we make /dev/.lxc/{proc,sys} non-read/writeable.
> > We don't need to be able to use them, we're just showing the
> > kernel what's what.
> > 
> > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > ---
> >  config/apparmor/profiles/lxc-default-with-nesting | 2 ++
> >  config/templates/Makefile.am                      | 1 +
> >  config/templates/nesting.conf.in                  | 8 ++++++++
> >  configure.ac                                      | 1 +
> >  4 files changed, 12 insertions(+)
> >  create mode 100644 config/templates/nesting.conf.in
> > 
> > diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting
> > index 91ad6de..83a0b83 100644
> > --- a/config/apparmor/profiles/lxc-default-with-nesting
> > +++ b/config/apparmor/profiles/lxc-default-with-nesting
> > @@ -8,6 +8,8 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de
> >  #  Uncomment the line below if you are not using cgmanager
> >  #  mount fstype=cgroup -> /sys/fs/cgroup/**,
> >  
> > +  deny /dev/.lxd/proc/** rw,
> > +  deny /dev/.lxd/sys/** rw,
> 
> ^ Should be /dev/.lxc not /dev/.lxd

HAH!  I made sure to check that I got that right inthe description :)

> >    mount fstype=proc -> /var/cache/lxc/**,
> >    mount fstype=sysfs -> /var/cache/lxc/**,
> >    mount options=(rw,bind),
> > diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
> > index 329f919..e587899 100644
> > --- a/config/templates/Makefile.am
> > +++ b/config/templates/Makefile.am
> > @@ -18,6 +18,7 @@ templatesconfig_DATA = \
> >  	gentoo.common.conf \
> >  	gentoo.moresecure.conf \
> >  	gentoo.userns.conf \
> > +	nesting.conf \
> >  	opensuse.common.conf \
> >  	opensuse.userns.conf \
> >  	oracle.common.conf \
> > diff --git a/config/templates/nesting.conf.in b/config/templates/nesting.conf.in
> > new file mode 100644
> > index 0000000..b712ef6
> > --- /dev/null
> > +++ b/config/templates/nesting.conf.in
> > @@ -0,0 +1,8 @@
> > +# Use a profile which allows nesting
> > +lxc.aa_profile = lxc-container-default-with-nesting
> > +
> > +# Add uncovered mounts of proc and sys, else unprivileged users
> > +# cannot remount those
> > +
> > +lxc.mount.entry = proc dev/.lxc/proc proc create=dir,optional 0 0
> > +lxc.mount.entry = sys dev/.lxc/sys sysfs create=dir,optional 0 0
> > diff --git a/configure.ac b/configure.ac
> > index 5e9538e..4bad326 100644
> > --- a/configure.ac
> > +++ b/configure.ac
> > @@ -647,6 +647,7 @@ AC_CONFIG_FILES([
> >  	config/templates/gentoo.common.conf
> >  	config/templates/gentoo.moresecure.conf
> >  	config/templates/gentoo.userns.conf
> > +	config/templates/nesting.conf
> >  	config/templates/opensuse.common.conf
> >  	config/templates/opensuse.userns.conf
> >  	config/templates/oracle.common.conf
> > -- 
> > 2.5.0
> > 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> 
> -- 
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com



> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel



More information about the lxc-devel mailing list