[lxc-users] pre-mount hook namespace

Dietmar Maurer dietmar at proxmox.com
Mon Nov 16 17:34:01 UTC 2015 


> On November 16, 2015 at 5:33 PM Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> 
> 
> Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
> > Quoting Wolfgang Bumiller (w.bumiller at proxmox.com):
> > > > On November 11, 2015 at 6:04 PM Serge Hallyn <serge.hallyn at ubuntu.com>
> > > > wrote:
> > > > > > 2.
> > > > > > If you are just using unpriv containers to use user namespaces, you
> > > > > > can
> > > > > > actually have the container be owned/started by root.  That's what I
> > > > > > do
> > > > > > for some containers where their rootfs is a dmcrypt device which I
> > > > > > couldn't mount as an unpriv user.
> > > > > 
> > > > > They are started as root, which means I can prepare the mounts as you
> > > > > suggested above, but I'd again be clobbering the host's namespace.
> > > > 
> > > > Oh, right.  I forget that even when starting as root, this only works
> > > > for the rootfs itself, not other mounts.  (Lxd actually does handle
> > > > this,
> > > > but at the cost of having a MS_SLAVE mount per container)
> > > 
> > > So we ended up doing just that, but now with the latest lxcfs
> > > upgrades (I suspect cgmanager/cgfs changes) AppArmor suddenly
> > > denies lxc-start to bind mount something. Here's what happens
> > > with raw lxc-start commands:
> > > 
> > > # lxc-start -n 406
> > > 
> > > works, but (simplified to just unshare -m):
> > > 
> > > # unshare -m -- lxc-start -n 406
> > > 
> > > audit: type=1400 audit(1447670720.554:74): apparmor="DENIED"
> > > operation="mount"
> > > profile="/usr/bin/lxc-start"
> > > name="/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/fs/cgroup/hugetlb/lxc/406/"
> > > pid=21536 comm="lxc-start" flags="rw, bind"
> > > 
> > > This doesn't make sense to me, I don't see how the namespace
> > > change would affect this? (Using unshare -m and then running
> > > `mount --make-r{slave,private,shared} /` doesn't change the
> > > outcome.)
> > 
> > Can you make sure that your apparmor profile has the
> > attach_disconnected flag?
> 
> Sorry, make that /etc/apparmor.d/usr.bin.lxc-start.

We use the profiles shipped with lxc, so we have:

/usr/bin/lxc-start flags=(attach_disconnected) {
  #include <abstractions/lxc/start-container>
}

so that flag is already set?

More information about the lxc-users mailing list