On 08/31/2015 03:59 PM, Serge Hallyn wrote:
Quoting Tamas Papp (tom...@martos.bme.hu):
On 08/28/2015 03:48 PM, Serge Hallyn wrote:
Quoting Tamas Papp (tom...@martos.bme.hu):
hi,
I would like to achieve, what is in subject.
However, I cannot get over on this apparmor issue:
[7690496.246952] type=1400 audit(1440757904.938:1130):
apparmor="DENIED" operation="mount" info="failed flags match"
error=-13 profile="lxc-docker" name="/var/lib/docker/aufs/"
pid=32534 comm="docker" flags="rw, private"
I read some post on various forums, that I need to run the lxc
container with unconfined profile.
Is still the case?
Excellent, I've been wanting to bring this up here :)
Maxim at Odin has been working on a proxy graphdriver for
docker. The PR is at
https://github.com/docker/docker/pull/15594
I'm hoping to test that today and see what else is still
needed. I would assume a custom apparmor policy will still
be needed, but since the host is doing most of the mounting
you should be able to avoid just being unconfined.
hi,
For the first look it seems to be a big change, that requires a more
qualified one for testing.
Did you take a look?
I've taken a look at the code but haven't built it yet. (having
some toolchain issues)
https://github.com/docker/docker/pull/13777
This was merged, does it mean, that docker should be usable in LXC from
this point?
Can it be safely used?
What do you mean by safely? It should make it safe from the host's
point of view to do the mounting, as the container cannot provide
their own block device (with garbage) to mount(2). Rather, the
host always creates the new device, does mkfs, and if needed lays
out the provided tarfile onto it.
Oops, I forget to answer this?
I mean at least secure, no unconfined container needed and it cannot
crash the host machine.
Thanks,
tamas
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
