On Fri, Dec 06, 2013 at 12:11:29PM +0200, Bogdan Purcareata wrote: > Since the line immediately following will mount the entire > /sys read-only, hence /sys/kernel/security too. > > Also, when installing the container template on systems with > no securityfs support, starting the container will fail. >
Did you confirm that the lxc.mount.auto entry actually mounts securityfs on /sys/kernel/security? /sys/kernel/security isn't part of sysfs and needs to be mounted on top of it. If it's not mounted, your proposed change will lead to failure to setup apparmor and an unconfined container on systems supporting it. Instead, I think it'd be better to change that line to simply "ro,bind,optional" so that failure to mount doesn't cause a failure to start the container. > Signed-off-by: Bogdan Purcareata <bogdan.purcare...@freescale.com> > --- > templates/lxc-busybox.in | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in > index 23d654e..906dc5d 100644 > --- a/templates/lxc-busybox.in > +++ b/templates/lxc-busybox.in > @@ -296,7 +296,6 @@ EOF > echo "lxc.mount.entry = /$dir $dir none ro,bind 0 0" >> > $path/config > fi > done > - echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none > ro,bind 0 0" >>$path/config > echo "lxc.mount.auto = proc:mixed sys" >>$path/config > } > > -- > 1.7.11.7 > > > > ------------------------------------------------------------------------------ > Sponsored by Intel(R) XDK > Develop, test and display web and hybrid apps with a single code base. > Download it for free now! > http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk > _______________________________________________ > lxc-devel mailing list > lxc-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
