Merge lp:~serge-hallyn/serverguide/lxc-aa-update into lp:serverguide/trunk

Proposed by Serge Hallyn on 2014-04-01
Status: Merged
Approved by: Doug Smythies on 2014-04-04
Approved revision: 203
Merge reported by: Doug Smythies
Merged at revision: not available
Proposed branch: lp:~serge-hallyn/serverguide/lxc-aa-update
Merge into: lp:serverguide/trunk
Diff against target: 146 lines (+95/-13)
1 file modified
serverguide/C/virtualization.xml (+95/-13)
To merge this branch: bzr merge lp:~serge-hallyn/serverguide/lxc-aa-update
Reviewer Review Type Date Requested Status
Doug Smythies 2014-04-01 Approve on 2014-04-04
Review via email: mp+213719@code.launchpad.net

Description of the change

update lxc section:

1. add a nesting section
2. remove information about apparmor policy stacking which won't be in 14.04
3. add information about the alternate apparmor policies shipped with lxc.

To post a comment you must log in.
Doug Smythies (dsmythies) wrote :

O.K., Thanks. I see how important this one is.

I'm changing line 85 from this:

85 + profile (protecting the host) but is not be able to enter the

to this:

85 + profile (protecting the host) but will not be able to enter the

review: Approve
Doug Smythies (dsmythies) wrote :

O.K. Thanks.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'serverguide/C/virtualization.xml'
--- serverguide/C/virtualization.xml 2014-03-31 21:39:58 +0000
+++ serverguide/C/virtualization.xml 2014-04-01 20:58:06 +0000
@@ -974,6 +974,27 @@
974</screen>974</screen>
975975
976 </sect3>976 </sect3>
977 <sect3 id="lxc-nesting">
978 <title>Nesting</title>
979 <para>In order to run containers inside containers - referred
980 to as nested containers - two lines must be present in the
981 parent container configuration file:
982<screen>
983lxc.mount.auto = cgroup
984lxc.aa_profile = lxc-container-default-with-nesting
985</screen>
986 The first will cause the cgroup manager socket to be bound
987 into the container, so that lxc inside the container is able
988 to administer cgroups for its nested containers. The second
989 causes the container to run in a looser Apparmor policy which
990 allows the container to do the mounting required for starting
991 containers. Note that this policy, when used with a privileged
992 container, is much less safe than the regular policy or an
993 unprivileged container. See <xref linkend="lxc-apparmor"/> for
994 more information.
995 </para>
996 </sect3>
997
977 </sect2>998 </sect2>
978999
979 <sect2 id="lxc-global-conf" status="review">1000 <sect2 id="lxc-global-conf" status="review">
@@ -1033,6 +1054,36 @@
1033 container is running a distribution with upstart, like Ubuntu, since programs1054 container is running a distribution with upstart, like Ubuntu, since programs
1034 which talk to init, like <command>shutdown</command>, will talk over the1055 which talk to init, like <command>shutdown</command>, will talk over the
1035 abstract Unix domain socket to the host's upstart, and shut down the host.</para>1056 abstract Unix domain socket to the host's upstart, and shut down the host.</para>
1057 <para>
1058 To give containers on lxcbr0 a persistent ip address based on domain name,
1059 you can write entries to <filename>/etc/lxc/dnsmasq.conf</filename> like:
1060<screen>
1061dhcp-host=lxcmail,10.0.3.100
1062dhcp-host=ttrss,10.0.3.101
1063</screen>
1064 </para>
1065 <para>If it is desirable for the container to be publicly accessible,
1066 there are a few ways to go about it. One is to use <command>iptables</command>
1067 to forward host ports to the container, for instance
1068
1069<screen>
1070 iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 587 -j DNAT \
1071 --to-destination 10.0.3.100:587
1072 </screen>
1073 Another is to bridge the host's network interfaces (see the bridging
1074 section in <ulink url="https://help.ubuntu.com/serverguide/network-configuration.html">
1075 the Ubuntu Server Guide's Network Configuration chapter</ulink>. Then,
1076 specify the host's bridge in the container configuration file in place of
1077 lxcbr0, for instance
1078
1079<screen>
1080lxc.network.type = veth
1081lxc.network.link = br0
1082</screen>
1083 Finally, you can ask LXC to use macvlan for the container's NIC. Note that
1084 this has limitations and depending on configuration may not allow the
1085 container to talk to the host itself. Therefore the other two options are
1086 preferred and more commonly used.</para>
10361087
1037 <para>There are several ways to determine the ip address for a container.1088 <para>There are several ways to determine the ip address for a container.
1038 First, you can use <command>lxc-ls --fancy</command> which will print the ip1089 First, you can use <command>lxc-ls --fancy</command> which will print the ip
@@ -1223,16 +1274,15 @@
1223 prevents the container from accessing many dangerous paths, and from1274 prevents the container from accessing many dangerous paths, and from
1224 mounting most filesystems.</para>1275 mounting most filesystems.</para>
12251276
1226 <para>Prior to 14.04, programs in a container could not be further1277 <para>Programs in a container cannot be further
1227 confined - for instance, MySQL would run under the container1278 confined - for instance, MySQL runs under the container
1228 profile (protecting the host) but would not be able to enter the1279 profile (protecting the host) but is not be able to enter the
1229 MySQL profile (to protect the container). As of Ubuntu 14.04,1280 MySQL profile (to protect the container).</para>
1230 the container profile starts a new stacked namespace. All tasks1281
1231 in the container are confined by the container profile. Furthermore1282 <para><command>lxc-execute</command> does not enter an Apparmor
1232 containers can load their own profiles. Programs started under1283 profile, but the container it spawns will be confined.</para>
1233 those profiles are doubly constrained, first by the container profile,1284
1234 and secondly by the application profile.</para>1285 <sect3><title>Customizing container policies</title>
1235
1236 <para>If you find that <command>lxc-start</command> is failing due to1286 <para>If you find that <command>lxc-start</command> is failing due to
1237 a legitimate access which is being denied by its Apparmor policy, you1287 a legitimate access which is being denied by its Apparmor policy, you
1238 can disable the lxc-start profile by doing:</para>1288 can disable the lxc-start profile by doing:</para>
@@ -1251,7 +1301,40 @@
1251lxc.aa_profile = unconfined1301lxc.aa_profile = unconfined
1252</screen>1302</screen>
12531303
1254 <para>to the container's configuration file. If you wish to run a1304 <para>to the container's configuration file.</para>
1305
1306 <para>
1307 LXC ships with a few alternate policies for containers. If you
1308 wish to run containers inside containers (nesting), then you
1309 can use the lxc-container-default-with-nesting profile by adding
1310 the following line to the container configuration file
1311 <screen>
1312lxc.aa_profile = lxc-container-default-with-nesting
1313 </screen>
1314 If you wish to use libvirt inside containers, then you will need
1315 to edit that policy (which is defined in
1316 <filename>/etc/apparmor.d/lxc/lxc-default-with-nesting</filename>)
1317 to uncomment the following line
1318 <screen>
1319mount fstype=cgroup -> /sys/fs/cgroup/**,
1320 </screen>
1321 and re-load the policy.</para>
1322
1323 <para>Note that the nesting policy with privileged containers is
1324 far less safe than the default policy, as it allows containers to
1325 re-mount <filename>/sys</filename> and <filename>/proc</filename>
1326 in nonstandard locations, bypassing apparmor protections.
1327 Unprivileged containers do not have this drawback since the
1328 container root cannot write to root-owned <filename>proc</filename>
1329 and <filename>sys</filename> files.
1330 </para>
1331 <para>Another profile shipped with lxc allows containers to mount
1332 block filesystem types like ext4. This can be useful in some cases
1333 like maas provisioning, but is deemed generally unsafe since the superblock
1334 handlers in the kernel have not been audited for safe handling of
1335 untrusted input.</para>
1336
1337 <para> If you need to run a
1255 container in a custom profile, you can create a new profile under1338 container in a custom profile, you can create a new profile under
1256 <filename>/etc/apparmor.d/lxc/</filename>. Its name must start with1339 <filename>/etc/apparmor.d/lxc/</filename>. Its name must start with
1257 <filename>lxc-</filename> in order for <command>lxc-start</command> to1340 <filename>lxc-</filename> in order for <command>lxc-start</command> to
@@ -1279,8 +1362,7 @@
1279lxc.aa_profile = lxc-CN-profile1362lxc.aa_profile = lxc-CN-profile
1280</screen>1363</screen>
12811364
1282 <para><command>lxc-execute</command> does not enter an Apparmor1365 </sect3>
1283 profile, but the container it spawns will be confined.</para>
1284 </sect2>1366 </sect2>
12851367
1286 <sect2 id="lxc-cgroups" status="review">1368 <sect2 id="lxc-cgroups" status="review">

Subscribers

People subscribed via source and target branches