[lxc-users] apparmor profile for systemd containers (WAS: Fedora container thinks it is not running)
Serge Hallyn
serge.hallyn at ubuntu.com
Wed May 28 22:08:09 UTC 2014
Quoting Fajar A. Nugraha (list at fajar.net):
> (changed subject to match content)
>
> On Tue, May 27, 2014 at 11:10 PM, Michael H. Warfield <mhw at wittsend.com> wrote:
> > On Tue, 2014-05-27 at 15:33 +0700, Fajar A. Nugraha wrote:
> >> On further test, this seems enough
> >
> >> ###
> >> # cat lxc-default-with-systemd
> >> profile lxc-container-default-with-systemd
> >> flags=(attach_disconnected,mediate_deleted) {
> >> #include <abstractions/lxc/container-base>
> >> deny mount fstype=devpts,
> >> mount options=(none,name=systemd) fstype=cgroup -> /sys/fs/cgroup/systemd/,
> >> }
> >> ###
> >
> > This sounds excellent. It sounds like this should be incorporated into
> > the lxc package for any host distros supporting app armour and we could
> > then add that default to all the systemd based containers such as
> > Fedora, Suse, eventually Oracle, and eventually CentOS.
> >
> > I agree it does seem to make more sense to use a restrictive profile
> > that covers the minimal set of requirements as opposed to unconfined.
> >
> > That should be submitted as a patch over on the lxc-devel list then, for
> > Serge and Stéphane to review. I see where the file would need to be
> > added in the config/apparmour/profiles directory but I'm not familiar
> > enough with the packaging for Ubuntu to know what changes would be
> > needed to add them there.
>
> I'll let Serge comment on this one.
>
>
> As a side note, I've tested opensuse 13.1 (using the squashfs root
> from rescue ISO) and it has two additional complains with the previous
> apparmor profile:
>
> May 27 17:12:50 trusty kernel: [66563.219898] type=1400
> audit(1401185570.578:9249): apparmor="DENIED" operation="mount"
> info="failed type match" error=-13
> profile="lxc-container-default-with-systemd" name="/var/run/"
> pid=30648 comm="mount" srcname="/run/" flags="rw, bind"
Hm. In Debian/Ubuntu this is done with a /var/run -> /run
symlink...
> May 27 17:21:20 trusty kernel: [67073.932892] type=1400
> audit(1401186080.906:9846): apparmor="DENIED" operation="mount"
> info="failed flags match" error=-13 profile="lxc-container-opensuse"
> name="/proc/" pid=4158 comm="mount" flags="rw, remount"
>
> the second one (/proc) is pretty harmless, so I ignored it. The first
> one (/var/run) produced lots of errors
>
> [FAILED] Failed to mount Runtime Directory.
> See 'systemctl status var-run.mount' for details.
> [DEPEND] Dependency failed for System Logging Service.
> Mounting Runtime Directory...
>
>
> ... and made syslog (and possibly other services) failed to start, so
> for opensuse I had to adjust the profile even further
>
> ###
> profile lxc-container-opensuse flags=(attach_disconnected,mediate_deleted) {
> #include <abstractions/lxc/container-base>
> deny mount fstype=devpts,
> mount options=(none,name=systemd) fstype=cgroup -> /sys/fs/cgroup/systemd/,
> mount options=(rw,bind),
> }
> ###
>
> Bind mounts inside a container should be safe, right? While there are
> still some problems with opensuse container (e.g. shutdown takes a
> long time on "systemctl stop network at eth0.service"), it is at least
> usable for testing purposes.
would systemd be happy with it being mounted by lxc using an
lxc.mount.entry? I think that would be preferable to relaxing the
apparmor policy. i.e.
lxc.mount.entry = /sys/fs/cgroup/systemd sys/fs/cgroup/systemd none bind,create=dir,optional 0 0
Or, of course, you can just do
lxc.mount.auto = cgroup:mixed
which should give you /sys/fs/cgroup/systemd if it exists on the host, and in a
safer way. Now if /sys/fs/cgroup/systemd does not exist on the host, these
won't work...
As you say the bind mounts should be ok - although some of the mount options
stuff doesn't work right in many apparmor parsers. So we'd want to make
sure that 'mount options=(rw,bind)' does in fact only allow that, instead
of suddely allowing all mounts, as I've unfortunately seen happen when I tried
to selectively allow some other mount options.
-serge
More information about the lxc-users
mailing list