止语
2013-Aug-26 07:42 UTC
[libvirt-users] How to deal with LXC cgroup access control with apparmor ?
I am playing with libvirt 1.1.1 (lxc) when I was starting a LXC container, the process location of cgroup is pretty , just the root directory from the process. But I could tune the cgroup in a container as an user that logged, This is not accepted... I wonder how to restrict it with apparmor ,so one can not modify files in the cgroup fs, e.g the cpus or mem, if i restrict it with "deny /sys/fs/cgroup/** wrklx," in apparmor ,the container woulld not start up . "Permission denied", because that a process would mount the cgroup, it seems done by libvirt_lxc, Any way to restrict the cgroup in the container or just not mount cgroup in the container ?? Any help would be appreciated, thanks .
Gao feng
2013-Aug-26 08:06 UTC
Re: [libvirt-users] How to deal with LXC cgroup access control with apparmor ?
On 08/26/2013 03:42 PM, 止语 wrote:> I am playing with libvirt 1.1.1 (lxc) > when I was starting a LXC container, the process location of cgroup is pretty , just the root directory > from the process. But I could tune the cgroup in a container as an user that logged, This is not accepted... > > I wonder how to restrict it with apparmor ,so one can not modify files in the cgroup fs, e.g the cpus or mem, > if i restrict it with "deny /sys/fs/cgroup/** wrklx," in apparmor ,the container woulld not start up . > "Permission denied", because that a process would mount the cgroup, it seems done by libvirt_lxc, > Any way to restrict the cgroup in the container or just not mount cgroup in the container ?? > > Any help would be appreciated, thanks . >The simplest way is to enable user namespace for libvirt. the below is the configuration you should do to enable user namespace [quote] If you want to enable user namespace,set the idmap element. the uid and gid elements have three attributes: start First user id in container. target The first user id in container will be mapped to this target user id in host. count How many users in container being allowed to map to host's user. <idmap> <uid start='0' target='1000' count='10'/> <gid start='0' target='1000' count='10'/> </idmap> [/quote]
jj
2013-Aug-26 08:36 UTC
[libvirt-users] 回复: How to deal with LXC cgroup access control withapparmor ?
thx, Gao feng, If I do not want to disable the cgroup in container , is there any config file ? or do i have to do something to the libvirt source code to skip it ? ------------------ 原始邮件 ------------------ 发件人: "Gao feng"<gaofeng@cn.fujitsu.com>; 发送时间: 2013年8月26日(星期一) 下午4:06 收件人: "止语"<zhongjj@foxmail.com>; 抄送: "libvirt-users"<libvirt-users@redhat.com>; 主题: Re: [libvirt-users] How to deal with LXC cgroup access control withapparmor ? On 08/26/2013 03:42 PM, 止语 wrote:> I am playing with libvirt 1.1.1 (lxc) > when I was starting a LXC container, the process location of cgroup is pretty , just the root directory > from the process. But I could tune the cgroup in a container as an user that logged, This is not accepted... > > I wonder how to restrict it with apparmor ,so one can not modify files in the cgroup fs, e.g the cpus or mem, > if i restrict it with "deny /sys/fs/cgroup/** wrklx," in apparmor ,the container woulld not start up . > "Permission denied", because that a process would mount the cgroup, it seems done by libvirt_lxc, > Any way to restrict the cgroup in the container or just not mount cgroup in the container ?? > > Any help would be appreciated, thanks . >The simplest way is to enable user namespace for libvirt. the below is the configuration you should do to enable user namespace [quote] If you want to enable user namespace,set the idmap element. the uid and gid elements have three attributes: start First user id in container. target The first user id in container will be mapped to this target user id in host. count How many users in container being allowed to map to host's user. <idmap> <uid start='0' target='1000' count='10'/> <gid start='0' target='1000' count='10'/> </idmap> [/quote]
Seemingly Similar Threads
- 回复: How to deal with LXC cgroup access control withapparmor ?
- Re: How to deal with LXC cgroup access control with apparmor ?
- Re: 回复: How to deal with LXC cgroup access control withapparmor ?
- libvirt_lxc memory limit, emulator process part of the cgroup?
- cgroups inside LXC containers losts memory limits after some time