[Lxc-users] Bind9/named does not work with Debian Lenny
Serge E. Hallyn
serge.hallyn at ubuntu.com
Wed Mar 23 14:41:16 UTC 2011
Quoting Christoph Mitasch (cmitasch at thomas-krenn.com):
> Hi,
>
> I just resolved it, it was related to Apparmor on the host.
>
> The host has a rule regarding bind (/etc/apparmor.d/usr.sbin.named), but
> bind has changed the pid file from Lenny (/var/run/bind/run/named.pid)
> to Squeeze (/var/run/named/named.pid). So the Apparmor rule worked for
> the Squeeze guest but not for Lenny.
>
> Are there any recommendations regarding Apparmor on the host?
> Is it best to disable it when running different Linux Distros on one host?
Interesting question. Can we have lxc-start enter a different
namespace of domains? At first, by default, it can just be either
fully permissive. Then we can think about sane rules to add to
lock down the container, and maybe even add other container-specific
domains to the namespace?
(CC:d some apparmor folks who might be helpful)
> Regards,
> Christoph
>
> On 03/23/2011 03:38 PM, Christoph Mitasch wrote:
> > Hi,
> >
> > I recently tried to run the bind9 package inside a Debian Lenny
> > container. It fails to start with the following message in /var/log/syslog:
> > Mar 23 14:28:37 blub named[831]: couldn't open pid file
> > '/var/run/bind/run/named..
> > pid': Permission denied
> > Mar 23 14:28:37 blub named[831]: exiting (due to early fatal error)
> >
> > I've created the container with the help of the lxc-lenny template script.
> >
> > When creating an Debian Squeeze container with lxc-debian, bind9 works
> > out of box as expected.
> >
> > Any ideas what could be the problem here?
> >
> > Thank you,
> > Christoph
> >
> > ------------------------------------------------------------------------------
> > Enable your software for Intel(R) Active Management Technology to meet the
> > growing manageability and security demands of your customers. Businesses
> > are taking advantage of Intel(R) vPro (TM) technology - will your software
> > be a part of the solution? Download the Intel(R) Manageability Checker
> > today! http://p.sf.net/sfu/intel-dev2devmar
> > _______________________________________________
> > Lxc-users mailing list
> > Lxc-users at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/lxc-users
>
> ------------------------------------------------------------------------------
> Enable your software for Intel(R) Active Management Technology to meet the
> growing manageability and security demands of your customers. Businesses
> are taking advantage of Intel(R) vPro (TM) technology - will your software
> be a part of the solution? Download the Intel(R) Manageability Checker
> today! http://p.sf.net/sfu/intel-dev2devmar
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110323/984b5c30/attachment.pgp>
More information about the lxc-users
mailing list