libvirt users - Aug 2013 - Re: 回复： How to deal with LXC cgroup access control withapparmor ?

thx, Gao feng,
If I do not want to disable the cgroup in container , is there any config file ?
or  do i have to do something to the libvirt source code
to skip it ?


 




------------------ 原始邮件 ------------------
发件人: "Gao feng"<gaofeng@cn.fujitsu.com>;
发送时间: 2013年8月26日(星期一) 下午4:06
收件人: "止语"<zhongjj@foxmail.com>; 
抄送: "libvirt-users"<libvirt-users@redhat.com>; 
主题: Re: [libvirt-users] How to deal with LXC cgroup access control withapparmor
?



On 08/26/2013 03:42 PM, 止语 wrote:
> I am playing with libvirt 1.1.1 (lxc)
> when I was starting a LXC container,  the process location of cgroup is
pretty ,  just the root directory
> from the process. But I could tune the cgroup in a container as an user
that logged, This is not accepted...
> 
> I wonder how to restrict it with apparmor ,so one can not modify files in 
the cgroup fs, e.g  the cpus or mem,
> if i restrict it with "deny /sys/fs/cgroup/** wrklx,"  in
apparmor ,the container woulld not start up .
> "Permission denied", because that a process would mount the
cgroup, it seems done by libvirt_lxc,
> Any way to restrict the cgroup in the container or just not mount cgroup in
the container ??
> 
> Any help would be appreciated, thanks .
> 
The simplest way is to enable user namespace for libvirt.


the below is the configuration you should do to enable user namespace

[quote]

If you want to enable user namespace,set the idmap element. the uid and gid
elements have three attributes:

start
First user id in container.
target
The first user id in container will be mapped to this target user id in host.
count
How many users in container being allowed to map to host's user.
  <idmap>
    <uid start='0' target='1000' count='10'/>
    <gid start='0' target='1000' count='10'/>
  </idmap>


[/quote]

On 08/26/2013 04:36 PM, jj wrote:
> thx, Gao feng,
> If I do not want to disable the cgroup in container , is there any config
file ? or  do i have to do something to the libvirt source code
> to skip it ?
> 
>  
Sorry, I don't quite understand what's your request.
enable user namespace doesn't disable cgroup in container, it will make user
in container has no rights to change the setting of cgroup.

Thanks

OOPS:
      "If I do not want to disable the cgroup in container" ==>
"If I do want to disable the cgroup in container"
      I meant if the user namespace not enabled in kernel ...

thx ,I will try user namespace later. I am not working on x86 and not suer
wheather the usernamespace is ok in the kernel I am going to use.
I would try to disable the cgroup in lxc first. 

THX to Gao feng .



------------------
止语




------------------ Original ------------------
From:  "Gao feng"<gaofeng@cn.fujitsu.com>;
Date:  Mon, Aug 26, 2013 05:07 PM
To:  "jj"<jj@yuzao.org>; 
Cc:  "libvirt-users"<libvirt-users@redhat.com>; 
Subject:  Re: [libvirt-users]回复：  How to deal with LXC cgroup access control
withapparmor ?



On 08/26/2013 04:36 PM, jj wrote:
> thx, Gao feng,
> If I do not want to disable the cgroup in container , is there any config
file ? or  do i have to do something to the libvirt source code
> to skip it ?
> 
>  
Sorry, I don't quite understand what's your request.
enable user namespace doesn't disable cgroup in container, it will make user
in container has no rights to change the setting of cgroup.

Thanks

_______________________________________________
libvirt-users mailing list
libvirt-users@redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users
..