Guest User

LXC Nesting Snippet from stgraber.org

a guest
Aug 25th, 2012
761
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Credits: LXC in Ubuntu 12.04 LTS (Posted on 2012/05/04 by Stéphane Graber at stgraber.org)
  2. ------------------------------------------------------------------------------------------
  3.  
  4. sudo apt-get install lxc
  5. sudo lxc-create -t ubuntu -n my-host-container -t ubuntu
  6. sudo wget https://www.stgraber.org/download/lxc-with-nesting -O /etc/apparmor.d/lxc/lxc-with-nesting
  7. sudo /etc/init.d/apparmor reload
  8. sudo sed -i "s/#lxc.aa_profile = unconfined/lxc.aa_profile = lxc-container-with-nesting/" /var/lib/lxc/my-host-container/config
  9. sudo lxc-start -n my-host-container
  10. (in my-host-container) sudo apt-get install lxc
  11. (in my-host-container) sudo stop lxc
  12. (in my-host-container) sudo sed -i "s/10.0.3/10.0.4/g" /etc/default/lxc
  13. (in my-host-container) sudo start lxc
  14. (in my-host-container) sudo lxc-create -n my-sub-container -t ubuntu
  15. (in my-host-container) sudo lxc-start -n my-sub-container
  16.  
  17. ---------------------------------------------------
  18. https://www.stgraber.org/download/lxc-with-nesting:
  19. ---------------------------------------------------
  20.  
  21. # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
  22. # will source all profiles under /etc/apparmor.d/lxc
  23.  
  24. profile lxc-container-with-nesting flags=(attach_disconnected,mediate_deleted) {
  25. network,
  26. capability,
  27. file,
  28. umount,
  29.  
  30. # addition for container nesting
  31. mount -> /sys/fs/cgroup/**,
  32. mount fstype=proc -> /var/cache/lxc/**,
  33. mount fstype=sysfs -> /var/cache/lxc/**,
  34. mount fstype=devpts -> /dev/pts/,
  35. mount -> /usr/lib/lxc/root/,
  36. mount -> /usr/lib/lxc/root/**,
  37. mount /dev/pts/ptmx/ -> /dev/ptmx/,
  38. pivot_root,
  39. change_profile -> lxc-*,
  40.  
  41. # ignore DENIED message on / remount
  42. deny mount options=(ro, remount) -> /,
  43.  
  44. # allow tmpfs mounts everywhere
  45. mount fstype=tmpfs,
  46.  
  47. # allow mqueue mounts everywhere
  48. mount fstype=mqueue,
  49.  
  50. # allow bind mount of /lib/init/fstab for lxcguest
  51. mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
  52.  
  53. # deny writes in /proc/sys/fs but allow fusectl to be mounted
  54. mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
  55. deny @{PROC}/sys/fs/** wklx,
  56.  
  57. # block some other dangerous paths
  58. deny @{PROC}/sysrq-trigger rwklx,
  59. deny @{PROC}/mem rwklx,
  60. deny @{PROC}/kmem rwklx,
  61. deny @{PROC}/sys/kernel/** wklx,
  62.  
  63. # deny writes in /sys except for /sys/fs/cgroup, also allow
  64. # fusectl, securityfs and debugfs to be mounted there (read-only)
  65. mount fstype=fusectl -> /sys/fs/fuse/connections/,
  66. mount fstype=securityfs -> /sys/kernel/security/,
  67. mount fstype=debugfs -> /sys/kernel/debug/,
  68. deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
  69. mount fstype=proc -> /proc/,
  70. mount fstype=sysfs -> /sys/,
  71. deny /sys/[^f]*/** wklx,
  72. deny /sys/f[^s]*/** wklx,
  73. deny /sys/fs/[^c]*/** wklx,
  74. deny /sys/fs/c[^g]*/** wklx,
  75. deny /sys/fs/cg[^r]*/** wklx,
  76. }
RAW Paste Data