[Lxc-users] trouble with remote mounts, ssh and ftp clients from inside container behind private bridge & NAT
Whit Blauvelt
whit at transpect.com
Sat Nov 10 01:25:00 UTC 2012
On Fri, Nov 09, 2012 at 08:07:26PM -0500, Whit Blauvelt wrote:
>
> Hmm. Looking here:
>
> https://help.ubuntu.com/12.04/serverguide/lxc.html
>
> when using lxc in Ubuntu, it looks like Apparmor steps all over it,
> particularly when it comes to mounting. Ubuntu even has Apparmor as an lxc
> dependency, so if you remove Apparmor it takes lxc with it.
>
> I'm going to have to follow the instructions there to make lxc "unconfined."
> Having a feature designed to break things, on the assumption that
> right-thinking people just shouldn't want to do those things anyway, is bad
> design. Especially when it's linked to an experimental feature like lxc,
> which people should want to explore to discover its unconfined best uses
> before deciding which aspects of it to lock down.
Okay, it was Apparmor that was breaking the mounting capability within the
container - although learning that it's far better to do that from the host
was worth the discussion here. I can understand Apparmor being set by
default to block mounting other parts of the host filesystem. Having it
blocked from mounting filesystems elsewhere is absurd. It's the
responsibilty of the systems offering mounts to define who can use them.
There's no good reason to duplicate that responsibilty on the lxc host.
Unfortunately getting Apparmor out of the way doesn't resolve the bizarre
inability to complete an ssh or ftp login dialog - the lxc guest still fails
to show the password prompts on the console, while evidently feeding the
remote end something that looks like line feeds so as to fail the login.
Whit
More information about the lxc-users
mailing list