Quoting Dietmar Maurer ([email protected]): > > > > On November 16, 2015 at 5:33 PM Serge Hallyn <[email protected]> > > wrote: > > > > > > Quoting Serge Hallyn ([email protected]): > > > Quoting Wolfgang Bumiller ([email protected]): > > > > > On November 11, 2015 at 6:04 PM Serge Hallyn <[email protected]> > > > > > wrote: > > > > > > > 2. > > > > > > > If you are just using unpriv containers to use user namespaces, > > > > > > > you > > > > > > > can > > > > > > > actually have the container be owned/started by root. That's > > > > > > > what I > > > > > > > do > > > > > > > for some containers where their rootfs is a dmcrypt device which I > > > > > > > couldn't mount as an unpriv user. > > > > > > > > > > > > They are started as root, which means I can prepare the mounts as > > > > > > you > > > > > > suggested above, but I'd again be clobbering the host's namespace. > > > > > > > > > > Oh, right. I forget that even when starting as root, this only works > > > > > for the rootfs itself, not other mounts. (Lxd actually does handle > > > > > this, > > > > > but at the cost of having a MS_SLAVE mount per container) > > > > > > > > So we ended up doing just that, but now with the latest lxcfs > > > > upgrades (I suspect cgmanager/cgfs changes) AppArmor suddenly > > > > denies lxc-start to bind mount something. Here's what happens > > > > with raw lxc-start commands: > > > > > > > > # lxc-start -n 406 > > > > > > > > works, but (simplified to just unshare -m): > > > > > > > > # unshare -m -- lxc-start -n 406 > > > > > > > > audit: type=1400 audit(1447670720.554:74): apparmor="DENIED" > > > > operation="mount" > > > > profile="/usr/bin/lxc-start" > > > > name="/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/fs/cgroup/hugetlb/lxc/406/" > > > > pid=21536 comm="lxc-start" flags="rw, bind" > > > > > > > > This doesn't make sense to me, I don't see how the namespace > > > > change would affect this? (Using unshare -m and then running > > > > `mount --make-r{slave,private,shared} /` doesn't change the > > > > outcome.) > > > > > > Can you make sure that your apparmor profile has the > > > attach_disconnected flag? > > > > Sorry, make that /etc/apparmor.d/usr.bin.lxc-start. > > We use the profiles shipped with lxc, so we have: > > /usr/bin/lxc-start flags=(attach_disconnected) { > #include <abstractions/lxc/start-container> > } > > so that flag is already set? >
I think Stéphane has found lxc with cgfs to be broken right now, although I thought that was only nested on top of lxcfs. I haven't looked into it, but will try to in the near future. If someone else wants to, all the better. (I try to stay away from the cgfs code) _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
