[lxc-users] apparmor profile for systemd containers (WAS: Fedora container thinks it is not running)

Fajar A. Nugraha list at fajar.net
Tue May 27 17:37:01 UTC 2014 

(changed subject to match content)

On Tue, May 27, 2014 at 11:10 PM, Michael H. Warfield <mhw at wittsend.com> wrote:
> On Tue, 2014-05-27 at 15:33 +0700, Fajar A. Nugraha wrote:
>> On further test, this seems enough
>
>> ###
>> # cat lxc-default-with-systemd
>> profile lxc-container-default-with-systemd
>> flags=(attach_disconnected,mediate_deleted) {
>>   #include <abstractions/lxc/container-base>
>>   deny mount fstype=devpts,
>>   mount options=(none,name=systemd) fstype=cgroup -> /sys/fs/cgroup/systemd/,
>> }
>> ###
>
> This sounds excellent.  It sounds like this should be incorporated into
> the lxc package for any host distros supporting app armour and we could
> then add that default to all the systemd based containers such as
> Fedora, Suse, eventually Oracle, and eventually CentOS.
>
> I agree it does seem to make more sense to use a restrictive profile
> that covers the minimal set of requirements as opposed to unconfined.
>
> That should be submitted as a patch over on the lxc-devel list then, for
> Serge and Stéphane to review.  I see where the file would need to be
> added in the config/apparmour/profiles directory but I'm not familiar
> enough with the packaging for Ubuntu to know what changes would be
> needed to add them there.

I'll let Serge comment on this one.


As a side note, I've tested opensuse 13.1 (using the squashfs root
from rescue ISO) and it has two additional complains with the previous
apparmor profile:

May 27 17:12:50 trusty kernel: [66563.219898] type=1400
audit(1401185570.578:9249): apparmor="DENIED" operation="mount"
info="failed type match" error=-13
profile="lxc-container-default-with-systemd" name="/var/run/"
pid=30648 comm="mount" srcname="/run/" flags="rw, bind"

May 27 17:21:20 trusty kernel: [67073.932892] type=1400
audit(1401186080.906:9846): apparmor="DENIED" operation="mount"
info="failed flags match" error=-13 profile="lxc-container-opensuse"
name="/proc/" pid=4158 comm="mount" flags="rw, remount"

the second one (/proc) is pretty harmless, so I ignored it. The first
one (/var/run) produced lots of errors

[FAILED] Failed to mount Runtime Directory.
See 'systemctl status var-run.mount' for details.
[DEPEND] Dependency failed for System Logging Service.
         Mounting Runtime Directory...


... and made syslog (and possibly other services) failed to start, so
for opensuse I had to adjust the profile even further

###
profile lxc-container-opensuse flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  deny mount fstype=devpts,
  mount options=(none,name=systemd) fstype=cgroup -> /sys/fs/cgroup/systemd/,
  mount options=(rw,bind),
}
###

Bind mounts inside a container should be safe, right? While there are
still some problems with opensuse container (e.g. shutdown takes a
long time on "systemctl stop network at eth0.service"), it is at least
usable for testing purposes.

-- 
Fajar

More information about the lxc-users mailing list