Hey Serge, This is something I'm interested in as well. Anyway I could help with the implementation of the graphdriver proxy?
On Fri, Oct 16, 2015 at 12:10 PM Serge Hallyn <serge.hal...@ubuntu.com> wrote: > Quoting Tamas Papp (tom...@martos.bme.hu): > > > > > > On 08/31/2015 03:59 PM, Serge Hallyn wrote: > > >Quoting Tamas Papp (tom...@martos.bme.hu): > > >> > > >>On 08/28/2015 03:48 PM, Serge Hallyn wrote: > > >>>Quoting Tamas Papp (tom...@martos.bme.hu): > > >>>>hi, > > >>>> > > >>>>I would like to achieve, what is in subject. > > >>>> > > >>>> > > >>>>However, I cannot get over on this apparmor issue: > > >>>> > > >>>>[7690496.246952] type=1400 audit(1440757904.938:1130): > > >>>>apparmor="DENIED" operation="mount" info="failed flags match" > > >>>>error=-13 profile="lxc-docker" name="/var/lib/docker/aufs/" > > >>>>pid=32534 comm="docker" flags="rw, private" > > >>>> > > >>>> > > >>>>I read some post on various forums, that I need to run the lxc > > >>>>container with unconfined profile. > > >>>>Is still the case? > > >>>Excellent, I've been wanting to bring this up here :) > > >>> > > >>>Maxim at Odin has been working on a proxy graphdriver for > > >>>docker. The PR is at > > >>> > > >>>https://github.com/docker/docker/pull/15594 > > >>> > > >>>I'm hoping to test that today and see what else is still > > >>>needed. I would assume a custom apparmor policy will still > > >>>be needed, but since the host is doing most of the mounting > > >>>you should be able to avoid just being unconfined. > > >>hi, > > >> > > >>For the first look it seems to be a big change, that requires a more > > >>qualified one for testing. > > >>Did you take a look? > > >I've taken a look at the code but haven't built it yet. (having > > >some toolchain issues) > > > > https://github.com/docker/docker/pull/13777 > > > > This was merged, does it mean, that docker should be usable in LXC > > from this point? > > Not exactly. As you can see from the final comment in > > https://github.com/docker/docker/pull/15924 > > it now means that we can write a graphdriver proxy. The original > openvz pull request would have been almost all we needed - allowing > the graphdriver to talk over a unix socket to the host where the > requested actions could be done. The pull request which was accepted > does less - only allowing you to implement your own proxy to talk to > a service on the host. (that service *also* needs to be written) > _______________________________________________ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
