[lxc-users] pre-mount hook namespace

Wolfgang Bumiller w.bumiller at proxmox.com
Tue Nov 17 08:05:05 UTC 2015


On Mon, Nov 16, 2015 at 04:33:25PM +0000, Serge Hallyn wrote:
> Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
> > Quoting Wolfgang Bumiller (w.bumiller at proxmox.com):
> > > So we ended up doing just that, but now with the latest lxcfs
> > > upgrades (I suspect cgmanager/cgfs changes) AppArmor suddenly
> > > denies lxc-start to bind mount something. Here's what happens
> > > with raw lxc-start commands:
> > > 
> > > # lxc-start -n 406
> > > 
> > > works, but (simplified to just unshare -m):
> > > 
> > > # unshare -m -- lxc-start -n 406
> > > 
> > > audit: type=1400 audit(1447670720.554:74): apparmor="DENIED" operation="mount"
> > > profile="/usr/bin/lxc-start"
> > > name="/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/fs/cgroup/hugetlb/lxc/406/"
> > > pid=21536 comm="lxc-start" flags="rw, bind"
> > > 
> > > This doesn't make sense to me, I don't see how the namespace
> > > change would affect this? (Using unshare -m and then running
> > > `mount --make-r{slave,private,shared} /` doesn't change the
> > > outcome.)
> > 
> > Can you make sure that your apparmor profile has the
> > attach_disconnected flag?
> 
> Sorry, make that /etc/apparmor.d/usr.bin.lxc-start.

Okay it's not apparmor's fault (or not only anyway). (And yes the flag
is there).
If I put the profiles in complain mode I get the same with
apparmor="ALLOWED" but the mount still fails with a permission-denied
error.

Note that this is only cgfs with --disable-cgmanager (which I suspect is
not meant to work?). And I'm currently wondering how that would be
possible anyway. Eg. in lxcfs/cgfs I see that mkdir requests use the
fuse_context's uid/gid to reown files for cgroups - but the cgroups are
mounted _as_ cgroups, so how would that code even be reached in the fuse
fs?

And how does it connect to mount namespaces...?



More information about the lxc-users mailing list