[lxc-devel] [lxc/master] 2016 03 15/nest

hallyn on Github lxc-bot at linuxcontainers.org
Tue Mar 15 21:49:30 UTC 2016 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 362 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160315/2119b814/attachment.bin>
-------------- next part --------------
From 49a2ed808cc2b53425d0fee55e9fc563dd961bf6 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: Tue, 15 Mar 2016 14:43:44 -0700
Subject: [PATCH 1/2] nesting: document how to enable nesting in container
 configurations

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 src/lxc/Makefile.am    | 1 +
 src/lxc/lxccontainer.c | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index 0861fa3..f361c3f 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -145,6 +145,7 @@ AM_CFLAGS=-I$(top_srcdir)/src \
 	-DLXCINITDIR=\"$(LXCINITDIR)\" \
 	-DLIBEXECDIR=\"$(LIBEXECDIR)\" \
 	-DLXCTEMPLATEDIR=\"$(LXCTEMPLATEDIR)\" \
+	-DLXCTEMPLATECONFIG=\"$(LXCTEMPLATECONFIG)\" \
 	-DLOGPATH=\"$(LOGPATH)\" \
 	-DLXC_DEFAULT_CONFIG=\"$(LXC_DEFAULT_CONFIG)\" \
 	-DLXC_USERNIC_DB=\"$(LXC_USERNIC_DB)\" \
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index bb34bcd..c11ffe0 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1375,6 +1375,9 @@ static bool prepend_lxc_header(char *path, const char *t, char *const argv[])
 	fprintf(f, "\n");
 #endif
 	fprintf(f, "# For additional config options, please look at lxc.container.conf(5)\n");
+	fprintf(f, "\n# Uncomment the following line to support nesting containers:\n");
+	fprintf(f, "#lxc.include = " LXCTEMPLATECONFIG "/nesting.conf\n");
+	fprintf(f, "# (Be aware this has security implications)\n\n");
 	if (fwrite(contents, 1, flen, f) != flen) {
 		SYSERROR("Writing original contents");
 		free(contents);

From e6bff191fbc9ef335d9f6ddfc521eca0b4dd1fef Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: Tue, 15 Mar 2016 14:47:44 -0700
Subject: [PATCH 2/2] nesting: remove the nesting hint from configuration
 templates

we're having it inserted in every config by the lxcapi_create
itself.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 config/templates/debian.common.conf.in | 4 ----
 config/templates/ubuntu.common.conf.in | 4 ----
 templates/lxc-cirros.in                | 2 --
 3 files changed, 10 deletions(-)

diff --git a/config/templates/debian.common.conf.in b/config/templates/debian.common.conf.in
index e034b95..07c2bc8 100644
--- a/config/templates/debian.common.conf.in
+++ b/config/templates/debian.common.conf.in
@@ -9,10 +9,6 @@ lxc.devttydir =
 # (uncommented) to the container's configuration file.
 #lxc.aa_profile = unconfined
 
-# To support container nesting on an Ubuntu host while retaining most of
-# apparmor's added security, use the following line instead.
-#lxc.aa_profile = lxc-container-default-with-nesting
-
 # If you wish to allow mounting block filesystems, then use the following
 # line instead, and make sure to grant access to the block device and/or loop
 # devices below in lxc.cgroup.devices.allow.
diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
index 7e171de..a1c60d2 100644
--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@@ -12,10 +12,6 @@ lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0
 # (uncommented) to the container's configuration file.
 #lxc.aa_profile = unconfined
 
-# To support container nesting on an Ubuntu host while retaining most of
-# apparmor's added security, use the following line instead.
-#lxc.aa_profile = lxc-container-default-with-nesting
-
 # Uncomment the following line to autodetect squid-deb-proxy configuration on the
 # host and forward it to the guest at start time.
 #lxc.hook.pre-start = /usr/share/lxc/hooks/squid-deb-proxy-client
diff --git a/templates/lxc-cirros.in b/templates/lxc-cirros.in
index 55fc257..395416b 100644
--- a/templates/lxc-cirros.in
+++ b/templates/lxc-cirros.in
@@ -130,8 +130,6 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
-# To support container nesting on an Ubuntu host, uncomment next two lines:
-#lxc.aa_profile = lxc-container-default-with-nesting
 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 
 lxc.cgroup.devices.deny = a

More information about the lxc-devel mailing list