[lxc-users] apparmor profile for systemd containers (WAS: Fedora container thinks it is not running)

Wed May 28 22:08:09 UTC 2014

Quoting Fajar A. Nugraha (list at fajar.net):
> (changed subject to match content)
> 
> On Tue, May 27, 2014 at 11:10 PM, Michael H. Warfield <mhw at wittsend.com> wrote:
> > On Tue, 2014-05-27 at 15:33 +0700, Fajar A. Nugraha wrote:
> >> On further test, this seems enough
> >
> >> ###
> >> # cat lxc-default-with-systemd
> >> profile lxc-container-default-with-systemd
> >> flags=(attach_disconnected,mediate_deleted) {
> >>   #include <abstractions/lxc/container-base>
> >>   deny mount fstype=devpts,
> >>   mount options=(none,name=systemd) fstype=cgroup -> /sys/fs/cgroup/systemd/,
> >> }
> >> ###
> >
> > This sounds excellent.  It sounds like this should be incorporated into
> > the lxc package for any host distros supporting app armour and we could
> > then add that default to all the systemd based containers such as
> > Fedora, Suse, eventually Oracle, and eventually CentOS.
> >
> > I agree it does seem to make more sense to use a restrictive profile
> > that covers the minimal set of requirements as opposed to unconfined.
> >
> > That should be submitted as a patch over on the lxc-devel list then, for
> > Serge and Stéphane to review.  I see where the file would need to be
> > added in the config/apparmour/profiles directory but I'm not familiar
> > enough with the packaging for Ubuntu to know what changes would be
> > needed to add them there.
> 
> I'll let Serge comment on this one.
> 
> 
> As a side note, I've tested opensuse 13.1 (using the squashfs root
> from rescue ISO) and it has two additional complains with the previous
> apparmor profile:
> 
> May 27 17:12:50 trusty kernel: [66563.219898] type=1400
> audit(1401185570.578:9249): apparmor="DENIED" operation="mount"
> info="failed type match" error=-13
> profile="lxc-container-default-with-systemd" name="/var/run/"
> pid=30648 comm="mount" srcname="/run/" flags="rw, bind"

Hm.  In Debian/Ubuntu this is done with a /var/run -> /run
symlink...

> May 27 17:21:20 trusty kernel: [67073.932892] type=1400
> audit(1401186080.906:9846): apparmor="DENIED" operation="mount"
> info="failed flags match" error=-13 profile="lxc-container-opensuse"
> name="/proc/" pid=4158 comm="mount" flags="rw, remount"
> 
> the second one (/proc) is pretty harmless, so I ignored it. The first
> one (/var/run) produced lots of errors
> 
> [FAILED] Failed to mount Runtime Directory.
> See 'systemctl status var-run.mount' for details.
> [DEPEND] Dependency failed for System Logging Service.
>          Mounting Runtime Directory...
> 
> 
> ... and made syslog (and possibly other services) failed to start, so
> for opensuse I had to adjust the profile even further
> 
> ###
> profile lxc-container-opensuse flags=(attach_disconnected,mediate_deleted) {
>   #include <abstractions/lxc/container-base>
>   deny mount fstype=devpts,
>   mount options=(none,name=systemd) fstype=cgroup -> /sys/fs/cgroup/systemd/,
>   mount options=(rw,bind),
> }
> ###
> 
> Bind mounts inside a container should be safe, right? While there are
> still some problems with opensuse container (e.g. shutdown takes a
> long time on "systemctl stop network at eth0.service"), it is at least
> usable for testing purposes.

would systemd be happy with it being mounted by lxc using an
lxc.mount.entry?  I think that would be preferable to relaxing the
apparmor policy.  i.e.

lxc.mount.entry = /sys/fs/cgroup/systemd sys/fs/cgroup/systemd none bind,create=dir,optional 0 0

Or, of course, you can just do

lxc.mount.auto = cgroup:mixed

which should give you /sys/fs/cgroup/systemd if it exists on the host, and in a
safer way.  Now if /sys/fs/cgroup/systemd does not exist on the host, these
won't work...

As you say the bind mounts should be ok - although some of the mount options
stuff doesn't work right in many apparmor parsers.  So we'd want to make
sure that 'mount options=(rw,bind)' does in fact only allow that, instead
of suddely allowing all mounts, as I've unfortunately seen happen when I tried
to selectively allow some other mount options.

-serge