[Lxc-users] LXC, AppArmor, NFS, and Ubuntu 12.04

Nathan Fisher nfisher+sfnet at junctionbox.ca
Fri Aug 31 09:04:16 UTC 2012


Hi Stéphane,

Okay finally getting back to this.  It looks like option 4 doesn't appear
to work on 12.04(Canonical's EC2 AMI). I've tried to use the following
fstab entry located in /var/lib/lxc/<container>/fstab;

/mnt/container /mnt none bind 0 0

When I start the container the host emits the following error in syslog;

Aug 30 16:17:25 ip-10-58-122-168 kernel: [30146397.707635] type=1400
audit(1346343445.967:42): apparmor="DENIED" operation="mount" info="failed
flags match" error=-13 parent=20530 profile="lxc-container-default"
name="/var/lib/ureadahead/debugfs/" pid=20582 comm="ureadahead"
fstype="debugfs" srcname="none" flags="rw"

The /mnt/container folder on the host is owned by root and has 0777
permissions.  Is creating an AppArmor profile my best option at this point
or is there something I'm missing?

Merci beaucoup!

Nathan

On 2 August 2012 18:38, Stéphane Graber <stgraber at ubuntu.com> wrote:

> On 08/02/2012 11:59 AM, Nathan Fisher wrote:
> > Hi,
> >
> > Previously using Ubuntu 11.10, upgraded to 12.04.  Under 12.04, NFS
> > shares no longer function due to AppArmor constraints on the mount
> command.
> >
> > What is the prescribed best practise to mount NFS shares within a Guest
> > that will minimise maintenance with future Ubuntu updates for 12.04?
> >
> > I see three options at the moment;
> >
> > 1) Mount within the host.
>
> That might not work because of the different mount namespaces.
>
> > 2) Modify the AppArmor profile for lxc-containers (will this evolve
> > within 12.04 LTS?)
>
> That's certainly an option and we might be doing it by default as I
> don't think nfs is really dangerous to mount.
>
> > 3) Disable AppArmor.
>
> That's obviously a pretty bad idea :)
>
> 4) Add the line to /var/lib/lxc/<container>/fstab instead of /etc/fstab
> This will get lxc to mount it for you when creating the container. At
> that point of the process, the apparmor profile shouldn't prevent it
> from happening (though I haven't tested it).
>
>
> > Are there any other options that I've missed?  Option 2 is the most
> > desirable as it means the guest is self-contained and *somewhat*
> > transportable between a cluster of hosts.
> >
> > Thanks!
> >
> > Nathan
> > w: http://junctionbox.ca/
>
>
> --
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
>
>


-- 
Nathan Fisher
 w: http://junctionbox.ca/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20120831/67ba3f0c/attachment.html>


More information about the lxc-users mailing list