[lxc-users] Fedora container thinks it is not running

Tue May 27 07:20:43 UTC 2014

On Mon, May 26, 2014 at 10:22 PM, Michael H. Warfield <mhw at wittsend.com> wrote:
> Serge,
>
> On Thu, 2014-05-15 at 15:31 +0000, Serge Hallyn wrote:
>> Quoting Michael H. Warfield (mhw at WittsEnd.com):
>> > On Thu, 2014-05-15 at 22:04 +0700, Fajar A. Nugraha wrote:
>
> [SNIP]
>
>> > > With the unconfied apparmor profile, it works as expected
>> > >
>> > >
>> > > ####
>> > > # lxc-ls -f f20
>> > > NAME  STATE    IPV4        IPV6  AUTOSTART
>> > > ------------------------------------------
>> > > f20   RUNNING  10.0.3.205  -     NO
>> > > ####
>> >
>> > Nice catch!  I wonder if there is some way I can automate that in the
>
>> What exactly is systemd doing at that spot?  (I suppose I shoudl go look
>> at git, but figure maybe you know offhand)  Perhaps it's something we can
>> add unconditionally to the apparmor profile.
>
> This came up again in another thread.  It's interesting that,
> apparently, this didn't cause the same problems with Fedora 19
> containers, which was still systemd, but is causing a SEGV from systemd
> with Fedora 20 containers.  They've changed something.
>
> In any case, I did set that aa_profile option to unconfined on my Fedora
> 20 host and it seems to simply be ignored.  Any heartburn if I make that
> the default for Fedora and CentOS containers by incorporating it into
> the common config files?

I had a chance to try it again and look at syslog this time. With the
default apparmor profile, you'd get this:

May 27 13:52:47 trusty kernel: [57784.287089] type=1400
audit(1401173567.348:86): apparmor="DENIED" operation="mount"
info="failed type match" error=-13 profile="lxc-container-default"
name="/sys/fs/cgroup/systemd/" pid=3374 comm="systemd" fstype="cgroup"
srcname="cgroup" flags="rw, nosuid, nodev, noexec"

... plus a bunch of other lines for /sys/fs/cgroup/*.

Looking at current rules as base, I created this

####
# cat lxc-fedora
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-fedora flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,

  # Allow cgroup mounts needed by systemd
  mount fstype=cgroup -> /sys/fs/cgroup/**,

  # Deny writes to lxc cgroup
  deny /sys/fs/cgroup/**/lxc/** rwklx,
}
####

After "service apparmor reload", and with "lxc.aa_profile =
lxc-container-fedora", the container can now start successfully, and
the apparmor profile still prevents all modifications to lxc cgroup
and its descendants (which, for example, is used to limit the
container's max resource usage).

I think the above approach would be better (security wise) instead of
setting unconfined by default.

-- 
Fajar