lxc-container-default-with-nesting AppArmor配置文件有什么作用?

时间:2016-02-13 02:52:08

标签: lxc apparmor

我正在使用嵌套的LXC和lxc-container-default-with-nesting profile,如下所示。

profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  #include <abstractions/lxc/start-container>

#  Uncomment the line below if you are not using cgmanager
#  mount fstype=cgroup -> /sys/fs/cgroup/**,

  deny /dev/.lxc/proc/** rw,
  deny /dev/.lxc/sys/** rw,
  mount fstype=proc -> /var/cache/lxc/**,
  mount fstype=sysfs -> /var/cache/lxc/**,
  mount options=(rw,bind),
}

我对以下几行有两个问题。

  mount fstype=proc -> /var/cache/lxc/**,
  1. 为什么允许容器挂载/ proc是安全的?

  2. 为什么容器需要在/ var / cache / lxc下挂载/ proc?

1 个答案:

答案 0 :(得分:1)

嵌套容器配置

该配置文件允许您创建嵌套 LXC容器,一个在另一个内部。默认情况下,此选项处于禁用状态,因为它会绕过某些默认的cgroup限制(more info here)。

通常,它会更改apparmor规则以允许lxc在容器内重新安装某些系统资源(具有某些限制)。

lxc.container.conf

如果您查看# create the dataframe df <- structure(list(lon = c(-26.583, -26.25, -26.417, -67.25, -67.25, -67.417), lat = c(-59.083, -58.417, -58.417, -55.917, -55.75, -55.75), pre1 = c(105.4, 106.3, 106.6, 73.1, 68.7, 70.2)), .Names = c("lon", "lat", "pre1"), row.names = c(NA, 6L), class = "data.frame") # change from long to wide format test <- reshape(df, timevar = "lat", idvar = "lon", direction = "wide") # turn missing values into zeros test[is.na(test)] <- 0 # use lon for rownames rownames(test) <- test[, 1] # drop the first column test <- test[,c(2:5)] # load stringr library library(stringr) # drop text from column names colnames(test) <- str_replace(colnames(test), "pre1.", "") # put rownames and colnames into increasing order test <- test[order(rownames(test), decreasing = TRUE), order(colnames(test), decreasing = TRUE)] test # load the plotting library library(fields) # make the plot image.plot(as.numeric(rownames(test)), as.numeric(colnames(test)), as.matrix(test)) ,本节将介绍您可以编辑man lxc.container.conf的安装方式的设置。我认为默认使用proc (但我还没有证实这一点!)

proc:mixed

Unprivileged LXC

顺便说一句,如果你没有使用无特权的LXC,你应该这样做。的严重即可。它增加了一个额外的保护层,限制容器中 lxc.mount.auto specify which standard kernel file systems should be automatically mounted. This may dramatically simplify the configuration. The file systems are: · proc:mixed (or proc): mount /proc as read-write, but remount /proc/sys and /proc/sysrq-trigger read-only for security / container isolation purposes. · proc:rw: mount /proc as read-write 用户可以执行的操作(它实际上将其映射到容器外的非root用户)。这为root提供了额外的保护层,以防万一滑倒了apparmour规则。

至于它使用/proc的原因,我不知道。一个猜测是,它与/var/cache/lxc没有冲突有关。如果您对推理感兴趣,查看源代码可能是一个很好的起点。