[lxc-users] Fedora container thinks it is not running

Fajar A. Nugraha list at fajar.net
Tue May 27 08:33:03 UTC 2014 

On Tue, May 27, 2014 at 2:20 PM, Fajar A. Nugraha <list at fajar.net> wrote:
> On Mon, May 26, 2014 at 10:22 PM, Michael H. Warfield <mhw at wittsend.com> wrote:
>> Serge,
>>
>> On Thu, 2014-05-15 at 15:31 +0000, Serge Hallyn wrote:
>>> Quoting Michael H. Warfield (mhw at WittsEnd.com):
>>> > On Thu, 2014-05-15 at 22:04 +0700, Fajar A. Nugraha wrote:
>>
>> [SNIP]
>>
>>> > > With the unconfied apparmor profile, it works as expected
>>> > >
>>> > >
>>> > > ####
>>> > > # lxc-ls -f f20
>>> > > NAME  STATE    IPV4        IPV6  AUTOSTART
>>> > > ------------------------------------------
>>> > > f20   RUNNING  10.0.3.205  -     NO
>>> > > ####
>>> >
>>> > Nice catch!  I wonder if there is some way I can automate that in the
>>
>>> What exactly is systemd doing at that spot?  (I suppose I shoudl go look
>>> at git, but figure maybe you know offhand)  Perhaps it's something we can
>>> add unconditionally to the apparmor profile.
>>
>> This came up again in another thread.  It's interesting that,
>> apparently, this didn't cause the same problems with Fedora 19
>> containers, which was still systemd, but is causing a SEGV from systemd
>> with Fedora 20 containers.  They've changed something.
>>
>> In any case, I did set that aa_profile option to unconfined on my Fedora
>> 20 host and it seems to simply be ignored.  Any heartburn if I make that
>> the default for Fedora and CentOS containers by incorporating it into
>> the common config files?
>
>
> I had a chance to try it again and look at syslog this time. With the
> default apparmor profile, you'd get this:
>
> May 27 13:52:47 trusty kernel: [57784.287089] type=1400
> audit(1401173567.348:86): apparmor="DENIED" operation="mount"
> info="failed type match" error=-13 profile="lxc-container-default"
> name="/sys/fs/cgroup/systemd/" pid=3374 comm="systemd" fstype="cgroup"
> srcname="cgroup" flags="rw, nosuid, nodev, noexec"
>
> ... plus a bunch of other lines for /sys/fs/cgroup/*.
>
> Looking at current rules as base, I created this
>
> ####
> # cat lxc-fedora
> # Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
> # will source all profiles under /etc/apparmor.d/lxc
>
> profile lxc-container-fedora flags=(attach_disconnected,mediate_deleted) {
>   #include <abstractions/lxc/container-base>
>
>   # the container may never be allowed to mount devpts.  If it does, it
>   # will remount the host's devpts.  We could allow it to do it with
>   # the newinstance option (but, right now, we don't).
>   deny mount fstype=devpts,
>
>   # Allow cgroup mounts needed by systemd
>   mount fstype=cgroup -> /sys/fs/cgroup/**,
>
>   # Deny writes to lxc cgroup
>   deny /sys/fs/cgroup/**/lxc/** rwklx,
> }
> ####


On further test, this seems enough

###
# cat lxc-default-with-systemd
profile lxc-container-default-with-systemd
flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  deny mount fstype=devpts,
  mount options=(none,name=systemd) fstype=cgroup -> /sys/fs/cgroup/systemd/,
}
###


During logout from console, there's a message like this

[root at f20 ~]# logout
Failed to mark scope session-c3.scope as abandoned : Stale file handle
console-getty.service holdoff time over, scheduling restart.

... but the login prompt displayed correctly aftewards anyway. Is
there something like "cgroup namespace", to prevent the container from
seeing the same systemd cgroup as the host?

-- 
Fajar

More information about the lxc-users mailing list