From: Serge Hallyn Date: Thu, 3 Sep 2015 20:24:06 +0000 (+0000) Subject: Add a nesting.conf which can be included to support nesting containers (v2) X-Git-Tag: lxc-2.1.1~901 X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=108b88ce3187e08cc630e17903f8e7748a545be1;hp=76072aec5c984b9e91bd4344ab013e38d8bff311;p=mirror_lxc.git Add a nesting.conf which can be included to support nesting containers (v2) Newer kernels have added a new restriction: if /proc or /sys on the host has files or non-empty directories which are over-mounted, and there is no /proc which fully visible, then it assumes there is a "security" reason for this. It prevents anyone in a non-initial user namespace from creating a new proc or sysfs mount. To work around this, this patch adds a new 'nesting.conf' which can be lxc.include'd from a container configuration file. It adds a non-overmounted mount of /proc and /sys under /dev/.lxc, so that the kernel can see that we're not trying to *hide* things like /proc/uptime. and /sys/devices/virtual/net. If the host adds this to the config file for container w1, then container w1 will support unprivileged child containers. The nesting.conf file also sets the apparmor profile to the with-nesting variant, since that is required anyway. This actually means that supporting nesting isn't really more work than it used to be, just different. Instead of adding lxc.aa_profile = lxc-container-default-with-nesting you now just need to lxc.include = /usr/share/lxc/config/nesting.conf (Look, fewer characters :) Finally, in order to maintain the current apparmor protections on proc and sys, we make /dev/.lxc/{proc,sys} non-read/writeable. We don't need to be able to use them, we're just showing the kernel what's what. Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber --- diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting index 91ad6de11..66aa5fd7d 100644 --- a/config/apparmor/profiles/lxc-default-with-nesting +++ b/config/apparmor/profiles/lxc-default-with-nesting @@ -8,6 +8,8 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de # Uncomment the line below if you are not using cgmanager # mount fstype=cgroup -> /sys/fs/cgroup/**, + deny /dev/.lxc/proc/** rw, + deny /dev/.lxc/sys/** rw, mount fstype=proc -> /var/cache/lxc/**, mount fstype=sysfs -> /var/cache/lxc/**, mount options=(rw,bind), diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am index 329f919b2..e587899ed 100644 --- a/config/templates/Makefile.am +++ b/config/templates/Makefile.am @@ -18,6 +18,7 @@ templatesconfig_DATA = \ gentoo.common.conf \ gentoo.moresecure.conf \ gentoo.userns.conf \ + nesting.conf \ opensuse.common.conf \ opensuse.userns.conf \ oracle.common.conf \ diff --git a/config/templates/nesting.conf.in b/config/templates/nesting.conf.in new file mode 100644 index 000000000..b712ef6bf --- /dev/null +++ b/config/templates/nesting.conf.in @@ -0,0 +1,8 @@ +# Use a profile which allows nesting +lxc.aa_profile = lxc-container-default-with-nesting + +# Add uncovered mounts of proc and sys, else unprivileged users +# cannot remount those + +lxc.mount.entry = proc dev/.lxc/proc proc create=dir,optional 0 0 +lxc.mount.entry = sys dev/.lxc/sys sysfs create=dir,optional 0 0 diff --git a/configure.ac b/configure.ac index 5e9538e47..4bad326e3 100644 --- a/configure.ac +++ b/configure.ac @@ -647,6 +647,7 @@ AC_CONFIG_FILES([ config/templates/gentoo.common.conf config/templates/gentoo.moresecure.conf config/templates/gentoo.userns.conf + config/templates/nesting.conf config/templates/opensuse.common.conf config/templates/opensuse.userns.conf config/templates/oracle.common.conf