[lxc-users] Fedora container thinks it is not running

Michael H. Warfield mhw at WittsEnd.com
Tue May 27 16:10:07 UTC 2014 

On Tue, 2014-05-27 at 15:33 +0700, Fajar A. Nugraha wrote:
> On Tue, May 27, 2014 at 2:20 PM, Fajar A. Nugraha <list at fajar.net> wrote:
> > On Mon, May 26, 2014 at 10:22 PM, Michael H. Warfield <mhw at wittsend.com> wrote:
> >> Serge,
> >>
> >> On Thu, 2014-05-15 at 15:31 +0000, Serge Hallyn wrote:
> >>> Quoting Michael H. Warfield (mhw at WittsEnd.com):
> >>> > On Thu, 2014-05-15 at 22:04 +0700, Fajar A. Nugraha wrote:
> >>
> >> [SNIP]
> >>
> >>> > > With the unconfied apparmor profile, it works as expected
> >>> > >
> >>> > >
> >>> > > ####
> >>> > > # lxc-ls -f f20
> >>> > > NAME  STATE    IPV4        IPV6  AUTOSTART
> >>> > > ------------------------------------------
> >>> > > f20   RUNNING  10.0.3.205  -     NO
> >>> > > ####
> >>> >
> >>> > Nice catch!  I wonder if there is some way I can automate that in the
> >>
> >>> What exactly is systemd doing at that spot?  (I suppose I shoudl go look
> >>> at git, but figure maybe you know offhand)  Perhaps it's something we can
> >>> add unconditionally to the apparmor profile.
> >>
> >> This came up again in another thread.  It's interesting that,
> >> apparently, this didn't cause the same problems with Fedora 19
> >> containers, which was still systemd, but is causing a SEGV from systemd
> >> with Fedora 20 containers.  They've changed something.
> >>
> >> In any case, I did set that aa_profile option to unconfined on my Fedora
> >> 20 host and it seems to simply be ignored.  Any heartburn if I make that
> >> the default for Fedora and CentOS containers by incorporating it into
> >> the common config files?
> >
> >
> > I had a chance to try it again and look at syslog this time. With the
> > default apparmor profile, you'd get this:
> >
> > May 27 13:52:47 trusty kernel: [57784.287089] type=1400
> > audit(1401173567.348:86): apparmor="DENIED" operation="mount"
> > info="failed type match" error=-13 profile="lxc-container-default"
> > name="/sys/fs/cgroup/systemd/" pid=3374 comm="systemd" fstype="cgroup"
> > srcname="cgroup" flags="rw, nosuid, nodev, noexec"
> >
> > ... plus a bunch of other lines for /sys/fs/cgroup/*.
> >
> > Looking at current rules as base, I created this
> >
> > ####
> > # cat lxc-fedora
> > # Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
> > # will source all profiles under /etc/apparmor.d/lxc
> >
> > profile lxc-container-fedora flags=(attach_disconnected,mediate_deleted) {
> >   #include <abstractions/lxc/container-base>
> >
> >   # the container may never be allowed to mount devpts.  If it does, it
> >   # will remount the host's devpts.  We could allow it to do it with
> >   # the newinstance option (but, right now, we don't).
> >   deny mount fstype=devpts,
> >
> >   # Allow cgroup mounts needed by systemd
> >   mount fstype=cgroup -> /sys/fs/cgroup/**,
> >
> >   # Deny writes to lxc cgroup
> >   deny /sys/fs/cgroup/**/lxc/** rwklx,
> > }
> > ####

> On further test, this seems enough

> ###
> # cat lxc-default-with-systemd
> profile lxc-container-default-with-systemd
> flags=(attach_disconnected,mediate_deleted) {
>   #include <abstractions/lxc/container-base>
>   deny mount fstype=devpts,
>   mount options=(none,name=systemd) fstype=cgroup -> /sys/fs/cgroup/systemd/,
> }
> ###

This sounds excellent.  It sounds like this should be incorporated into
the lxc package for any host distros supporting app armour and we could
then add that default to all the systemd based containers such as
Fedora, Suse, eventually Oracle, and eventually CentOS.

I agree it does seem to make more sense to use a restrictive profile
that covers the minimal set of requirements as opposed to unconfined.

That should be submitted as a patch over on the lxc-devel list then, for
Serge and Stéphane to review.  I see where the file would need to be
added in the config/apparmour/profiles directory but I'm not familiar
enough with the packaging for Ubuntu to know what changes would be
needed to add them there.

I could then add that new default to the {fedora|centos}.common.conf
config files for those containers.  Since it appears that the
lxc.aa_profile configuration parameter appears to be simply ignored on
systems which don't have apparmour or have it disabled, it does no harm
to simply set it and forget it across the board.

> During logout from console, there's a message like this

> [root at f20 ~]# logout
> Failed to mark scope session-c3.scope as abandoned : Stale file handle
> console-getty.service holdoff time over, scheduling restart.

> ... but the login prompt displayed correctly aftewards anyway. Is
> there something like "cgroup namespace", to prevent the container from
> seeing the same systemd cgroup as the host?

Yeah, I think that's cosmetic, maybe just a systemd service artifact.

> -- 
> Fajar

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140527/38b99509/attachment.sig>

More information about the lxc-users mailing list