[lxc-users] pre-mount hook namespace
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Nov 16 10:48:19 UTC 2015
> On November 11, 2015 at 6:04 PM Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > > 2.
> > > If you are just using unpriv containers to use user namespaces, you can
> > > actually have the container be owned/started by root. That's what I do
> > > for some containers where their rootfs is a dmcrypt device which I
> > > couldn't mount as an unpriv user.
> >
> > They are started as root, which means I can prepare the mounts as you
> > suggested above, but I'd again be clobbering the host's namespace.
>
> Oh, right. I forget that even when starting as root, this only works
> for the rootfs itself, not other mounts. (Lxd actually does handle this,
> but at the cost of having a MS_SLAVE mount per container)
So we ended up doing just that, but now with the latest lxcfs
upgrades (I suspect cgmanager/cgfs changes) AppArmor suddenly
denies lxc-start to bind mount something. Here's what happens
with raw lxc-start commands:
# lxc-start -n 406
works, but (simplified to just unshare -m):
# unshare -m -- lxc-start -n 406
audit: type=1400 audit(1447670720.554:74): apparmor="DENIED" operation="mount"
profile="/usr/bin/lxc-start"
name="/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/fs/cgroup/hugetlb/lxc/406/"
pid=21536 comm="lxc-start" flags="rw, bind"
This doesn't make sense to me, I don't see how the namespace
change would affect this? (Using unshare -m and then running
`mount --make-r{slave,private,shared} /` doesn't change the
outcome.)
406/config:
lxc.arch = amd64
lxc.include = /usr/share/lxc/config/debian.common.conf
lxc.include = /usr/share/lxc/config/debian.userns.conf
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.tty = 2
lxc.environment = TERM=linux
lxc.utsname = testit
lxc.cgroup.memory.limit_in_bytes = 536870912
lxc.cgroup.memory.memsw.limit_in_bytes = 1073741824
lxc.cgroup.cpu.shares = 1024
lxc.rootfs = /var/lib/lxc/406/rootfs
lxc.network.type = veth
lxc.network.veth.pair = veth406i0
lxc.network.hwaddr = 32:34:36:33:31:34
lxc.network.name = eth0
More information about the lxc-users
mailing list