[lxc-devel] [lxd/master] allow cgroupfs mounting on cgns kernels
hallyn on Github
lxc-bot at linuxcontainers.org
Mon Feb 22 01:03:22 UTC 2016
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 354 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160222/15148780/attachment.bin>
-------------- next part --------------
From a691ad92f5ffeef7c896ed94f649d160a8aaa22c Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: Sun, 21 Feb 2016 17:02:28 -0800
Subject: [PATCH] allow cgroupfs mounting on cgns kernels
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
lxd/apparmor.go | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/lxd/apparmor.go b/lxd/apparmor.go
index 277bbe1..b983834 100644
--- a/lxd/apparmor.go
+++ b/lxd/apparmor.go
@@ -52,6 +52,9 @@ const DEFAULT_AA_PROFILE = `
profile "%s" flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
+ # Special exception for cgroup namespaces
+ %s
+
# user input raw.apparmor below here
%s
@@ -75,6 +78,13 @@ func AAProfileShort(c container) string {
return fmt.Sprintf("lxd-%s", c.Name())
}
+func AAProfileCgns() string {
+ if shared.PathExists("/proc/self/ns/cgroup") {
+ return " mount fstype=cgroup -> /sys/fs/cgroup/**,"
+ }
+ return ""
+}
+
// getProfileContent generates the apparmor profile template from the given
// container. This includes the stock lxc includes as well as stuff from
// raw.apparmor.
@@ -89,7 +99,7 @@ func getAAProfileContent(c container) string {
nesting = NESTING_AA_PROFILE
}
- return fmt.Sprintf(DEFAULT_AA_PROFILE, AAProfileFull(c), rawApparmor, nesting, AAProfileFull(c))
+ return fmt.Sprintf(DEFAULT_AA_PROFILE, AAProfileFull(c), AAProfileCgns(), rawApparmor, nesting, AAProfileFull(c))
}
func runApparmor(command string, c container) error {
More information about the lxc-devel
mailing list