API tools faq
paste
Advertisement
Guest User

LXC Nesting Snippet from stgraber.org

a guest
Aug 25th, 2012
1,268
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.87 KB | None | 0 0
raw download clone embed print report
  1. Credits: LXC in Ubuntu 12.04 LTS (Posted on 2012/05/04 by Stéphane Graber at stgraber.org)
  2. ------------------------------------------------------------------------------------------
  3.  
  4. sudo apt-get install lxc
  5. sudo lxc-create -t ubuntu -n my-host-container -t ubuntu
  6. sudo wget https://www.stgraber.org/download/lxc-with-nesting -O /etc/apparmor.d/lxc/lxc-with-nesting
  7. sudo /etc/init.d/apparmor reload
  8. sudo sed -i "s/#lxc.aa_profile = unconfined/lxc.aa_profile = lxc-container-with-nesting/" /var/lib/lxc/my-host-container/config
  9. sudo lxc-start -n my-host-container
  10. (in my-host-container) sudo apt-get install lxc
  11. (in my-host-container) sudo stop lxc
  12. (in my-host-container) sudo sed -i "s/10.0.3/10.0.4/g" /etc/default/lxc
  13. (in my-host-container) sudo start lxc
  14. (in my-host-container) sudo lxc-create -n my-sub-container -t ubuntu
  15. (in my-host-container) sudo lxc-start -n my-sub-container
  16.  
  17. ---------------------------------------------------
  18. https://www.stgraber.org/download/lxc-with-nesting:
  19. ---------------------------------------------------
  20.  
  21. # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
  22. # will source all profiles under /etc/apparmor.d/lxc
  23.  
  24. profile lxc-container-with-nesting flags=(attach_disconnected,mediate_deleted) {
  25. network,
  26. capability,
  27. file,
  28. umount,
  29.  
  30. # addition for container nesting
  31. mount -> /sys/fs/cgroup/**,
  32. mount fstype=proc -> /var/cache/lxc/**,
  33. mount fstype=sysfs -> /var/cache/lxc/**,
  34. mount fstype=devpts -> /dev/pts/,
  35. mount -> /usr/lib/lxc/root/,
  36. mount -> /usr/lib/lxc/root/**,
  37. mount /dev/pts/ptmx/ -> /dev/ptmx/,
  38. pivot_root,
  39. change_profile -> lxc-*,
  40.  
  41. # ignore DENIED message on / remount
  42. deny mount options=(ro, remount) -> /,
  43.  
  44. # allow tmpfs mounts everywhere
  45. mount fstype=tmpfs,
  46.  
  47. # allow mqueue mounts everywhere
  48. mount fstype=mqueue,
  49.  
  50. # allow bind mount of /lib/init/fstab for lxcguest
  51. mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
  52.  
  53. # deny writes in /proc/sys/fs but allow fusectl to be mounted
  54. mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
  55. deny @{PROC}/sys/fs/** wklx,
  56.  
  57. # block some other dangerous paths
  58. deny @{PROC}/sysrq-trigger rwklx,
  59. deny @{PROC}/mem rwklx,
  60. deny @{PROC}/kmem rwklx,
  61. deny @{PROC}/sys/kernel/** wklx,
  62.  
  63. # deny writes in /sys except for /sys/fs/cgroup, also allow
  64. # fusectl, securityfs and debugfs to be mounted there (read-only)
  65. mount fstype=fusectl -> /sys/fs/fuse/connections/,
  66. mount fstype=securityfs -> /sys/kernel/security/,
  67. mount fstype=debugfs -> /sys/kernel/debug/,
  68. deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
  69. mount fstype=proc -> /proc/,
  70. mount fstype=sysfs -> /sys/,
  71. deny /sys/[^f]*/** wklx,
  72. deny /sys/f[^s]*/** wklx,
  73. deny /sys/fs/[^c]*/** wklx,
  74. deny /sys/fs/c[^g]*/** wklx,
  75. deny /sys/fs/cg[^r]*/** wklx,
  76. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!