[lxc-devel] apparmor: suse bind-mounts /run{, /lock} to /var{, /lock}
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Feb 1 14:21:06 UTC 2016
Some OpenSUSE 13.1 and 13.2 seem to misbehave with the current apparmor
profile (13.1 boots but I keep seeing mount-denied apparmor messages,
while upgrading or using a 13.2 template seems to hang).
The templates I'm using here come from:
https://openvz.org/Download/template/precreated
so they're not the "official" ones created via lxc-create. (Note that at
the time of writing `lxc-create -t download` seems to only provide an
i386 version of 13.2?)
Adding the following apparmor rules seems to fix this and I'm wondering
if you'd accept a patch to add the following rules to the apparmor
profile, since I don't see any particular problem with allowing this:
# allow bind mounts of /run/{,lock} to /var/run/{,lock}
mount options=(rw, bind) /run/ -> /var/run/,
mount options=(rw, bind) /run/lock/ -> /var/lock/,
Or maybe someone else using suse containers knows another way to get
suse to run?
It's been a few months since I last looked into the lxc-create sources,
so maybe there's some other obvious thing I can do instead of allowing
this, but since it doesn't seem harmful and fixes the problem.
And most of our users come from OpenVZ so providing a fixed template
won't help the existing users to migrate...
More information about the lxc-devel
mailing list