[lxc-users] pre-mount hook namespace

Tue Nov 17 00:37:24 UTC 2015

Quoting Dietmar Maurer (dietmar at proxmox.com):
> 
> 
> > On November 16, 2015 at 5:33 PM Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > 
> > 
> > Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
> > > Quoting Wolfgang Bumiller (w.bumiller at proxmox.com):
> > > > > On November 11, 2015 at 6:04 PM Serge Hallyn <serge.hallyn at ubuntu.com>
> > > > > wrote:
> > > > > > > 2.
> > > > > > > If you are just using unpriv containers to use user namespaces, you
> > > > > > > can
> > > > > > > actually have the container be owned/started by root.  That's what I
> > > > > > > do
> > > > > > > for some containers where their rootfs is a dmcrypt device which I
> > > > > > > couldn't mount as an unpriv user.
> > > > > > 
> > > > > > They are started as root, which means I can prepare the mounts as you
> > > > > > suggested above, but I'd again be clobbering the host's namespace.
> > > > > 
> > > > > Oh, right.  I forget that even when starting as root, this only works
> > > > > for the rootfs itself, not other mounts.  (Lxd actually does handle
> > > > > this,
> > > > > but at the cost of having a MS_SLAVE mount per container)
> > > > 
> > > > So we ended up doing just that, but now with the latest lxcfs
> > > > upgrades (I suspect cgmanager/cgfs changes) AppArmor suddenly
> > > > denies lxc-start to bind mount something. Here's what happens
> > > > with raw lxc-start commands:
> > > > 
> > > > # lxc-start -n 406
> > > > 
> > > > works, but (simplified to just unshare -m):
> > > > 
> > > > # unshare -m -- lxc-start -n 406
> > > > 
> > > > audit: type=1400 audit(1447670720.554:74): apparmor="DENIED"
> > > > operation="mount"
> > > > profile="/usr/bin/lxc-start"
> > > > name="/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/fs/cgroup/hugetlb/lxc/406/"
> > > > pid=21536 comm="lxc-start" flags="rw, bind"
> > > > 
> > > > This doesn't make sense to me, I don't see how the namespace
> > > > change would affect this? (Using unshare -m and then running
> > > > `mount --make-r{slave,private,shared} /` doesn't change the
> > > > outcome.)
> > > 
> > > Can you make sure that your apparmor profile has the
> > > attach_disconnected flag?
> > 
> > Sorry, make that /etc/apparmor.d/usr.bin.lxc-start.
> 
> We use the profiles shipped with lxc, so we have:
> 
> /usr/bin/lxc-start flags=(attach_disconnected) {
>   #include <abstractions/lxc/start-container>
> }
> 
> so that flag is already set?
> 

I think Stéphane has found lxc with cgfs to be broken right now, although
I thought that was only nested on top of lxcfs.  I haven't looked into it,
but will try to in the near future.  If someone else wants to, all the
better.  (I try to stay away from the cgfs code)