jj
2013-Aug-26 08:36 UTC
[libvirt-users] 回复: How to deal with LXC cgroup access control withapparmor ?
thx, Gao feng, If I do not want to disable the cgroup in container , is there any config file ? or do i have to do something to the libvirt source code to skip it ? ------------------ 原始邮件 ------------------ 发件人: "Gao feng"<gaofeng@cn.fujitsu.com>; 发送时间: 2013年8月26日(星期一) 下午4:06 收件人: "止语"<zhongjj@foxmail.com>; 抄送: "libvirt-users"<libvirt-users@redhat.com>; 主题: Re: [libvirt-users] How to deal with LXC cgroup access control withapparmor ? On 08/26/2013 03:42 PM, 止语 wrote:> I am playing with libvirt 1.1.1 (lxc) > when I was starting a LXC container, the process location of cgroup is pretty , just the root directory > from the process. But I could tune the cgroup in a container as an user that logged, This is not accepted... > > I wonder how to restrict it with apparmor ,so one can not modify files in the cgroup fs, e.g the cpus or mem, > if i restrict it with "deny /sys/fs/cgroup/** wrklx," in apparmor ,the container woulld not start up . > "Permission denied", because that a process would mount the cgroup, it seems done by libvirt_lxc, > Any way to restrict the cgroup in the container or just not mount cgroup in the container ?? > > Any help would be appreciated, thanks . >The simplest way is to enable user namespace for libvirt. the below is the configuration you should do to enable user namespace [quote] If you want to enable user namespace,set the idmap element. the uid and gid elements have three attributes: start First user id in container. target The first user id in container will be mapped to this target user id in host. count How many users in container being allowed to map to host's user. <idmap> <uid start='0' target='1000' count='10'/> <gid start='0' target='1000' count='10'/> </idmap> [/quote]
Gao feng
2013-Aug-26 09:07 UTC
Re: [libvirt-users] 回复: How to deal with LXC cgroup access control withapparmor ?
On 08/26/2013 04:36 PM, jj wrote:> thx, Gao feng, > If I do not want to disable the cgroup in container , is there any config file ? or do i have to do something to the libvirt source code > to skip it ? > >Sorry, I don't quite understand what's your request. enable user namespace doesn't disable cgroup in container, it will make user in container has no rights to change the setting of cgroup. Thanks
止语
2013-Aug-26 09:17 UTC
Re: [libvirt-users] 回复: How to deal with LXC cgroup access control withapparmor ?
OOPS: "If I do not want to disable the cgroup in container" ==> "If I do want to disable the cgroup in container" I meant if the user namespace not enabled in kernel ... thx ,I will try user namespace later. I am not working on x86 and not suer wheather the usernamespace is ok in the kernel I am going to use. I would try to disable the cgroup in lxc first. THX to Gao feng . ------------------ 止语 ------------------ Original ------------------ From: "Gao feng"<gaofeng@cn.fujitsu.com>; Date: Mon, Aug 26, 2013 05:07 PM To: "jj"<jj@yuzao.org>; Cc: "libvirt-users"<libvirt-users@redhat.com>; Subject: Re: [libvirt-users]回复: How to deal with LXC cgroup access control withapparmor ? On 08/26/2013 04:36 PM, jj wrote:> thx, Gao feng, > If I do not want to disable the cgroup in container , is there any config file ? or do i have to do something to the libvirt source code > to skip it ? > >Sorry, I don't quite understand what's your request. enable user namespace doesn't disable cgroup in container, it will make user in container has no rights to change the setting of cgroup. Thanks _______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users ..
Reasonably Related Threads
- 回复: How to deal with LXC cgroup access control withapparmor ?
- How to deal with LXC cgroup access control with apparmor ?
- Re: 回复: How to deal with LXC cgroup access control withapparmor ?
- 回复: [RFC] Improve iteration of estimating divisions
- Re: 回复: virt-builder problem