On Fri, Dec 06, 2013 at 12:11:29PM +0200, Bogdan Purcareata wrote:
Since the line immediately following will mount the entire
/sys read-only, hence /sys/kernel/security too.
Also, when installing the container template on systems with
no securityfs support, starting the container will fail.
Did you confirm that the lxc.mount.auto entry actually mounts securityfs
on /sys/kernel/security?
/sys/kernel/security isn't part of sysfs and needs to be mounted on top of it.
If it's not mounted, your proposed change will lead to failure to setup
apparmor and an unconfined container on systems supporting it.
Instead, I think it'd be better to change that line to simply
ro,bind,optional so that failure to mount doesn't cause a failure to
start the container.
Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com
---
templates/lxc-busybox.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 23d654e..906dc5d 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -296,7 +296,6 @@ EOF
echo lxc.mount.entry = /$dir $dir none ro,bind 0 0
$path/config
fi
done
-echo lxc.mount.entry = /sys/kernel/security sys/kernel/security none
ro,bind 0 0 $path/config
echo lxc.mount.auto = proc:mixed sys $path/config
}
--
1.7.11.7
--
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk
___
lxc-devel mailing list
lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: Digital signature
--
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk___
lxc-devel mailing list
lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
