[lxc-users] denied of mounting /run/netns ?
Serge E. Hallyn
serge at hallyn.com
Fri May 27 19:29:39 UTC 2016
Quoting Rui Zang (rui.zang at foxmail.com):
> Greetings,
>
> I am trying to run an openstack (with neutron networking) deployed
> by devstack in one LXC. The deployments seems completed but after a
> while something odd was discovered.
>
> First of all, there have been tens of thousands of tap devices
> created and hooked into ovs bridges. And the number is increasing.
>
> stack at devstack:~$ sudo ovs-vsctl show | wc -l
> 14215
>
> While I was trying to debug this, I found a thousand below message
> in kernel log:
>
> [162823.239519] audit: type=1400 audit(1464323116.356:41707):
> apparmor="DENIED" operation="mount" info="failed type match"
> error=-13 profile="lxc-container-default" name="/run/netns/"
> pid=40414 comm="ip" flags="rw, rshared"
>
> What does it mean? Shall I grant some privilege to this LXC?
>
Yes, depending on how lazy or trusting you are feeling, you can
just use the lxc-container-default-with-nesting profile, or else
add
mount options=(rw,rshared,bind) /run/**
either to a new profile /etc/apparmor.d/lxc/lxc-default-netns, or
just to /etc/apparmor.d/abstractions/lxc/container-base.
-serge
More information about the lxc-users
mailing list