[lxc-users] docker in lxc

Serge Hallyn serge.hallyn at ubuntu.com
Mon Aug 31 13:59:51 UTC 2015


Quoting Tamas Papp (tompos at martos.bme.hu):
> 
> 
> On 08/28/2015 03:48 PM, Serge Hallyn wrote:
> >Quoting Tamas Papp (tompos at martos.bme.hu):
> >>hi,
> >>
> >>I would like to achieve, what is in subject.
> >>
> >>
> >>However, I cannot get over on this apparmor issue:
> >>
> >>[7690496.246952] type=1400 audit(1440757904.938:1130):
> >>apparmor="DENIED" operation="mount" info="failed flags match"
> >>error=-13 profile="lxc-docker" name="/var/lib/docker/aufs/"
> >>pid=32534 comm="docker" flags="rw, private"
> >>
> >>
> >>I read some post on various forums, that I need to run the lxc
> >>container with unconfined profile.
> >>Is still the case?
> >Excellent, I've been wanting to bring this up here :)
> >
> >Maxim at Odin has been working on a proxy graphdriver for
> >docker.  The PR is at
> >
> >https://github.com/docker/docker/pull/15594
> >
> >I'm hoping to test that today and see what else is still
> >needed.  I would assume a custom apparmor policy will still
> >be needed, but since the host is doing most of the mounting
> >you should be able to avoid just being unconfined.
> 
> hi,
> 
> For the first look it seems to be a big change, that requires a more
> qualified one for testing.
> Did you take a look?

I've taken a look at the code but haven't built it yet.  (having
some toolchain issues)

> Can it be safely used?

What do you mean by safely?  It should make it safe from the host's
point of view to do the mounting, as the container cannot provide
their own block device (with garbage) to mount(2).  Rather, the
host always creates the new device, does mkfs, and if needed lays
out the provided tarfile onto it.

-serge


More information about the lxc-users mailing list