On Mon, Nov 16, 2015 at 04:33:25PM +0000, Serge Hallyn wrote: > Quoting Serge Hallyn ([email protected]): > > Quoting Wolfgang Bumiller ([email protected]): > > > So we ended up doing just that, but now with the latest lxcfs > > > upgrades (I suspect cgmanager/cgfs changes) AppArmor suddenly > > > denies lxc-start to bind mount something. Here's what happens > > > with raw lxc-start commands: > > > > > > # lxc-start -n 406 > > > > > > works, but (simplified to just unshare -m): > > > > > > # unshare -m -- lxc-start -n 406 > > > > > > audit: type=1400 audit(1447670720.554:74): apparmor="DENIED" > > > operation="mount" > > > profile="/usr/bin/lxc-start" > > > name="/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/fs/cgroup/hugetlb/lxc/406/" > > > pid=21536 comm="lxc-start" flags="rw, bind" > > > > > > This doesn't make sense to me, I don't see how the namespace > > > change would affect this? (Using unshare -m and then running > > > `mount --make-r{slave,private,shared} /` doesn't change the > > > outcome.) > > > > Can you make sure that your apparmor profile has the > > attach_disconnected flag? > > Sorry, make that /etc/apparmor.d/usr.bin.lxc-start.
Okay it's not apparmor's fault (or not only anyway). (And yes the flag is there). If I put the profiles in complain mode I get the same with apparmor="ALLOWED" but the mount still fails with a permission-denied error. Note that this is only cgfs with --disable-cgmanager (which I suspect is not meant to work?). And I'm currently wondering how that would be possible anyway. Eg. in lxcfs/cgfs I see that mkdir requests use the fuse_context's uid/gid to reown files for cgroups - but the cgroups are mounted _as_ cgroups, so how would that code even be reached in the fuse fs? And how does it connect to mount namespaces...? _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
