[lxc-devel] apparmor: suse bind-mounts /run{, /lock} to /var{, /lock}
Stéphane Graber
stgraber at ubuntu.com
Mon Feb 1 15:40:12 UTC 2016
On Mon, Feb 01, 2016 at 03:21:06PM +0100, Wolfgang Bumiller wrote:
> Some OpenSUSE 13.1 and 13.2 seem to misbehave with the current apparmor
> profile (13.1 boots but I keep seeing mount-denied apparmor messages,
> while upgrading or using a 13.2 template seems to hang).
>
> The templates I'm using here come from:
> https://openvz.org/Download/template/precreated
> so they're not the "official" ones created via lxc-create. (Note that at
> the time of writing `lxc-create -t download` seems to only provide an
> i386 version of 13.2?)
>
> Adding the following apparmor rules seems to fix this and I'm wondering
> if you'd accept a patch to add the following rules to the apparmor
> profile, since I don't see any particular problem with allowing this:
>
> # allow bind mounts of /run/{,lock} to /var/run/{,lock}
> mount options=(rw, bind) /run/ -> /var/run/,
> mount options=(rw, bind) /run/lock/ -> /var/lock/,
>
> Or maybe someone else using suse containers knows another way to get
> suse to run?
> It's been a few months since I last looked into the lxc-create sources,
> so maybe there's some other obvious thing I can do instead of allowing
> this, but since it doesn't seem harmful and fixes the problem.
> And most of our users come from OpenVZ so providing a fixed template
> won't help the existing users to migrate...
Those extra two lines are safe to add to the profile, so if they're
helping, I'd say to just send a pull request and we'll take them.
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160201/3126ade0/attachment.sig>
More information about the lxc-devel
mailing list