[lxc-users] apparmor profile for systemd containers (WAS: Fedora container thinks it is not running)

Fajar A. Nugraha list at fajar.net
Thu May 29 00:08:44 UTC 2014


On Thu, May 29, 2014 at 5:08 AM, Serge Hallyn <serge.hallyn at ubuntu.com>wrote:

> Quoting Fajar A. Nugraha (list at fajar.net):
> > (changed subject to match content)
> >
> > On Tue, May 27, 2014 at 11:10 PM, Michael H. Warfield <mhw at wittsend.com>
> wrote:
> > > On Tue, 2014-05-27 at 15:33 +0700, Fajar A. Nugraha wrote:
> > >> On further test, this seems enough
> > >
> > >> ###
> > >> # cat lxc-default-with-systemd
> > >> profile lxc-container-default-with-systemd
> > >> flags=(attach_disconnected,mediate_deleted) {
> > >>   #include <abstractions/lxc/container-base>
> > >>   deny mount fstype=devpts,
> > >>   mount options=(none,name=systemd) fstype=cgroup ->
> /sys/fs/cgroup/systemd/,
> > >> }
> > >> ###
> > >
> > > This sounds excellent.  It sounds like this should be incorporated into
> > > the lxc package for any host distros supporting app armour and we could
> > > then add that default to all the systemd based containers such as
> > > Fedora, Suse, eventually Oracle, and eventually CentOS.
> > >
> > > I agree it does seem to make more sense to use a restrictive profile
> > > that covers the minimal set of requirements as opposed to unconfined.
> > >
> > > That should be submitted as a patch over on the lxc-devel list then,
> for
> > > Serge and Stéphane to review.  I see where the file would need to be
> > > added in the config/apparmour/profiles directory but I'm not familiar
> > > enough with the packaging for Ubuntu to know what changes would be
> > > needed to add them there.
> >
> > I'll let Serge comment on this one.
> >
> >
> > As a side note, I've tested opensuse 13.1 (using the squashfs root
> > from rescue ISO) and it has two additional complains with the previous
> > apparmor profile:
> >
> > May 27 17:12:50 trusty kernel: [66563.219898] type=1400
> > audit(1401185570.578:9249): apparmor="DENIED" operation="mount"
> > info="failed type match" error=-13
> > profile="lxc-container-default-with-systemd" name="/var/run/"
> > pid=30648 comm="mount" srcname="/run/" flags="rw, bind"
>
> Hm.  In Debian/Ubuntu this is done with a /var/run -> /run
> symlink...
>

something like that could probably be added to the opensuse template,
modifying the current mount service.


>
> > May 27 17:21:20 trusty kernel: [67073.932892] type=1400
> > audit(1401186080.906:9846): apparmor="DENIED" operation="mount"
> > info="failed flags match" error=-13 profile="lxc-container-opensuse"
> > name="/proc/" pid=4158 comm="mount" flags="rw, remount"
> >
> > the second one (/proc) is pretty harmless, so I ignored it. The first
> > one (/var/run) produced lots of errors
> >
> > [FAILED] Failed to mount Runtime Directory.
> > See 'systemctl status var-run.mount' for details.
> > [DEPEND] Dependency failed for System Logging Service.
> >          Mounting Runtime Directory...
> >
> >
> > ... and made syslog (and possibly other services) failed to start, so
> > for opensuse I had to adjust the profile even further
> >
> > ###
> > profile lxc-container-opensuse
> flags=(attach_disconnected,mediate_deleted) {
> >   #include <abstractions/lxc/container-base>
> >   deny mount fstype=devpts,
> >   mount options=(none,name=systemd) fstype=cgroup ->
> /sys/fs/cgroup/systemd/,
> >   mount options=(rw,bind),
> > }
> > ###
> >
> > Bind mounts inside a container should be safe, right? While there are
> > still some problems with opensuse container (e.g. shutdown takes a
> > long time on "systemctl stop network at eth0.service"), it is at least
> > usable for testing purposes.
>
> would systemd be happy with it being mounted by lxc using an
> lxc.mount.entry?  I think that would be preferable to relaxing the
> apparmor policy.  i.e.
>
> lxc.mount.entry = /sys/fs/cgroup/systemd sys/fs/cgroup/systemd none
> bind,create=dir,optional 0 0
>
>
Wouldn't that be shadowed by the container mounting its own /sys?
Stephane also pointed out in my (closed) pull request that it would also
allow the container to mess with the hosts's resource allocation.

This works (at least, tested with console and ssh login), and should be
secure-enough (bind-mount the container subdir, instead of the whole
systemd cgroup), but complicated.

### snippet of config
lxc.hook.mount = "/var/lib/lxc/f20/bin/create_container_systemd_cgroup"
lxc.hook.post-stop = "/var/lib/lxc/f20/bin/remove_container_systemd_cgroup"
###

### cat create_container_systemd_cgroup
#!/bin/bash
mkdir -p /sys/fs/cgroup/systemd/lxc/$LXC_NAME
mount -t sysfs sysfs $LXC_ROOTFS_MOUNT/sys
mount -t tmpfs none $LXC_ROOTFS_MOUNT/sys/fs/cgroup
mkdir $LXC_ROOTFS_MOUNT/sys/fs/cgroup/systemd
mount --bind /sys/fs/cgroup/systemd/lxc/$LXC_NAME
$LXC_ROOTFS_MOUNT/sys/fs/cgroup/systemd
###

### cat remove_container_systemd_cgroup
#!/bin/bash
[ -n "$LXC_NAME" ] && find /sys/fs/cgroup/systemd/lxc/$LXC_NAME -type d |
tac | xargs rmdir
###

Is there a way to simplify this somehow for it to be more suitable in the
template?

-- 
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140529/b5525d4e/attachment.html>


More information about the lxc-users mailing list