Merge lp:~serge-hallyn/serverguide/lxc-aa-update into lp:serverguide/trunk

Proposed by Serge Hallyn on 2014-04-01
Status: Merged
Approved by: Doug Smythies on 2014-04-04
Approved revision: 203
Merge reported by: Doug Smythies
Merged at revision: not available
Proposed branch: lp:~serge-hallyn/serverguide/lxc-aa-update
Merge into: lp:serverguide/trunk
Diff against target: 146 lines (+95/-13)
1 file modified
serverguide/C/virtualization.xml (+95/-13)
To merge this branch: bzr merge lp:~serge-hallyn/serverguide/lxc-aa-update
Reviewer Review Type Date Requested Status
Doug Smythies 2014-04-01 Approve on 2014-04-04
Review via email:

Description of the change

update lxc section:

1. add a nesting section
2. remove information about apparmor policy stacking which won't be in 14.04
3. add information about the alternate apparmor policies shipped with lxc.

To post a comment you must log in.
Doug Smythies (dsmythies) wrote :

O.K., Thanks. I see how important this one is.

I'm changing line 85 from this:

85 + profile (protecting the host) but is not be able to enter the

to this:

85 + profile (protecting the host) but will not be able to enter the

review: Approve
Doug Smythies (dsmythies) wrote :

O.K. Thanks.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'serverguide/C/virtualization.xml'
2--- serverguide/C/virtualization.xml 2014-03-31 21:39:58 +0000
3+++ serverguide/C/virtualization.xml 2014-04-01 20:58:06 +0000
4@@ -974,6 +974,27 @@
5 </screen>
7 </sect3>
8+ <sect3 id="lxc-nesting">
9+ <title>Nesting</title>
10+ <para>In order to run containers inside containers - referred
11+ to as nested containers - two lines must be present in the
12+ parent container configuration file:
13+<screen> = cgroup
15+lxc.aa_profile = lxc-container-default-with-nesting
17+ The first will cause the cgroup manager socket to be bound
18+ into the container, so that lxc inside the container is able
19+ to administer cgroups for its nested containers. The second
20+ causes the container to run in a looser Apparmor policy which
21+ allows the container to do the mounting required for starting
22+ containers. Note that this policy, when used with a privileged
23+ container, is much less safe than the regular policy or an
24+ unprivileged container. See <xref linkend="lxc-apparmor"/> for
25+ more information.
26+ </para>
27+ </sect3>
29 </sect2>
31 <sect2 id="lxc-global-conf" status="review">
32@@ -1033,6 +1054,36 @@
33 container is running a distribution with upstart, like Ubuntu, since programs
34 which talk to init, like <command>shutdown</command>, will talk over the
35 abstract Unix domain socket to the host's upstart, and shut down the host.</para>
36+ <para>
37+ To give containers on lxcbr0 a persistent ip address based on domain name,
38+ you can write entries to <filename>/etc/lxc/dnsmasq.conf</filename> like:
43+ </para>
44+ <para>If it is desirable for the container to be publicly accessible,
45+ there are a few ways to go about it. One is to use <command>iptables</command>
46+ to forward host ports to the container, for instance
49+ iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 587 -j DNAT \
50+ --to-destination
51+ </screen>
52+ Another is to bridge the host's network interfaces (see the bridging
53+ section in <ulink url="">
54+ the Ubuntu Server Guide's Network Configuration chapter</ulink>. Then,
55+ specify the host's bridge in the container configuration file in place of
56+ lxcbr0, for instance
58+<screen> = veth = br0
62+ Finally, you can ask LXC to use macvlan for the container's NIC. Note that
63+ this has limitations and depending on configuration may not allow the
64+ container to talk to the host itself. Therefore the other two options are
65+ preferred and more commonly used.</para>
67 <para>There are several ways to determine the ip address for a container.
68 First, you can use <command>lxc-ls --fancy</command> which will print the ip
69@@ -1223,16 +1274,15 @@
70 prevents the container from accessing many dangerous paths, and from
71 mounting most filesystems.</para>
73- <para>Prior to 14.04, programs in a container could not be further
74- confined - for instance, MySQL would run under the container
75- profile (protecting the host) but would not be able to enter the
76- MySQL profile (to protect the container). As of Ubuntu 14.04,
77- the container profile starts a new stacked namespace. All tasks
78- in the container are confined by the container profile. Furthermore
79- containers can load their own profiles. Programs started under
80- those profiles are doubly constrained, first by the container profile,
81- and secondly by the application profile.</para>
83+ <para>Programs in a container cannot be further
84+ confined - for instance, MySQL runs under the container
85+ profile (protecting the host) but is not be able to enter the
86+ MySQL profile (to protect the container).</para>
88+ <para><command>lxc-execute</command> does not enter an Apparmor
89+ profile, but the container it spawns will be confined.</para>
91+ <sect3><title>Customizing container policies</title>
92 <para>If you find that <command>lxc-start</command> is failing due to
93 a legitimate access which is being denied by its Apparmor policy, you
94 can disable the lxc-start profile by doing:</para>
95@@ -1251,7 +1301,40 @@
96 lxc.aa_profile = unconfined
97 </screen>
99- <para>to the container's configuration file. If you wish to run a
100+ <para>to the container's configuration file.</para>
102+ <para>
103+ LXC ships with a few alternate policies for containers. If you
104+ wish to run containers inside containers (nesting), then you
105+ can use the lxc-container-default-with-nesting profile by adding
106+ the following line to the container configuration file
107+ <screen>
108+lxc.aa_profile = lxc-container-default-with-nesting
109+ </screen>
110+ If you wish to use libvirt inside containers, then you will need
111+ to edit that policy (which is defined in
112+ <filename>/etc/apparmor.d/lxc/lxc-default-with-nesting</filename>)
113+ to uncomment the following line
114+ <screen>
115+mount fstype=cgroup -> /sys/fs/cgroup/**,
116+ </screen>
117+ and re-load the policy.</para>
119+ <para>Note that the nesting policy with privileged containers is
120+ far less safe than the default policy, as it allows containers to
121+ re-mount <filename>/sys</filename> and <filename>/proc</filename>
122+ in nonstandard locations, bypassing apparmor protections.
123+ Unprivileged containers do not have this drawback since the
124+ container root cannot write to root-owned <filename>proc</filename>
125+ and <filename>sys</filename> files.
126+ </para>
127+ <para>Another profile shipped with lxc allows containers to mount
128+ block filesystem types like ext4. This can be useful in some cases
129+ like maas provisioning, but is deemed generally unsafe since the superblock
130+ handlers in the kernel have not been audited for safe handling of
131+ untrusted input.</para>
133+ <para> If you need to run a
134 container in a custom profile, you can create a new profile under
135 <filename>/etc/apparmor.d/lxc/</filename>. Its name must start with
136 <filename>lxc-</filename> in order for <command>lxc-start</command> to
137@@ -1279,8 +1362,7 @@
138 lxc.aa_profile = lxc-CN-profile
139 </screen>
141- <para><command>lxc-execute</command> does not enter an Apparmor
142- profile, but the container it spawns will be confined.</para>
143+ </sect3>
144 </sect2>
146 <sect2 id="lxc-cgroups" status="review">


People subscribed via source and target branches