[lxc-devel] [lxd/master] docker profile: add the apparmor enabled overmount

hallyn on Github lxc-bot at linuxcontainers.org
Tue Mar 15 21:15:59 UTC 2016


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 588 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160315/7d9c8c0a/attachment.bin>
-------------- next part --------------
From 1dbe178a83c7b83502c244446f523229c8792292 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: Tue, 15 Mar 2016 13:56:32 -0700
Subject: [PATCH] docker profile: add the apparmor enabled overmount

Until we have stackable apparmor profiles, docker needs to be told that
apparmor is not enabled, so that it won't try (and fail) to load new
profiles.

Do this by mounting /dev/null over /sys/module/apparmor/parameters/enabled

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 lxd/db.go          |  2 +-
 lxd/db_profiles.go |  7 ++++++-
 lxd/db_update.go   | 18 ++++++++++++++++++
 3 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/lxd/db.go b/lxd/db.go
index be8be5a..ca6d5d4 100644
--- a/lxd/db.go
+++ b/lxd/db.go
@@ -34,7 +34,7 @@ type Profile struct {
 // Profiles will contain a list of all Profiles.
 type Profiles []Profile
 
-const DB_CURRENT_VERSION int = 28
+const DB_CURRENT_VERSION int = 29
 
 // CURRENT_SCHEMA contains the current SQLite SQL Schema.
 const CURRENT_SCHEMA string = `
diff --git a/lxd/db_profiles.go b/lxd/db_profiles.go
index e857b1e..9d63674 100644
--- a/lxd/db_profiles.go
+++ b/lxd/db_profiles.go
@@ -134,7 +134,12 @@ func dbProfileCreateDocker(db *sql.DB) error {
 		"path": "/dev/fuse",
 		"type": "unix-char",
 	}
-	devices := map[string]shared.Device{"fuse": fusedev}
+	aadisable := map[string]string{
+		"path": "/sys/module/apparmor/parameters/enabled",
+		"type": "disk",
+		"source": "/dev/null",
+	}
+	devices := map[string]shared.Device{"fuse": fusedev, "aadisable": aadisable }
 
 	_, err = dbProfileCreate(db, "docker", "Profile supporting docker in containers", config, devices)
 	return err
diff --git a/lxd/db_update.go b/lxd/db_update.go
index 798431d..31c3612 100644
--- a/lxd/db_update.go
+++ b/lxd/db_update.go
@@ -15,6 +15,18 @@ import (
 	log "gopkg.in/inconshreveable/log15.v2"
 )
 
+func dbUpdateFromV28(db *sql.DB) error {
+	stmt := `
+INSERT INTO profiles_devices (profile_id, name, type) SELECT id, "aadisable", 2 FROM profiles WHERE name="docker";
+INSERT INTO profiles_devices_config (profile_device_id, key, value) SELECT profiles_devices.id, "source", "/dev/null" FROM profiles_devices LEFT JOIN profiles WHERE profiles_devices.profile_id = profiles.id AND profiles.name = "docker" AND profiles_devices.name = "aadisable";
+INSERT INTO profiles_devices_config (profile_device_id, key, value) SELECT profiles_devices.id, "path", "/sys/module/apparmor/parameters/enabled" FROM profiles_devices LEFT JOIN profiles WHERE profiles_devices.profile_id = profiles.id AND profiles.name = "docker" AND profiles_devices.name = "aadisable";`
+	db.Exec(stmt)
+
+	stmt = `INSERT INTO schema (version, updated_at) VALUES (?, strftime("%s"));`
+	_, err := db.Exec(stmt, 29)
+	return err
+}
+
 func dbUpdateFromV27(db *sql.DB) error {
 	stmt := `
 UPDATE profiles_devices SET type=3 WHERE type='unix-char';
@@ -979,6 +991,12 @@ func dbUpdate(d *Daemon, prevVersion int) error {
 			return err
 		}
 	}
+	if prevVersion < 29 {
+		err = dbUpdateFromV28(db)
+		if err != nil {
+			return err
+		}
+	}
 
 	return nil
 }


More information about the lxc-devel mailing list