我正在使用嵌套的LXC和lxc-container-default-with-nesting profile,如下所示。
profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
#include <abstractions/lxc/start-container>
# Uncomment the line below if you are not using cgmanager
# mount fstype=cgroup -> /sys/fs/cgroup/**,
deny /dev/.lxc/proc/** rw,
deny /dev/.lxc/sys/** rw,
mount fstype=proc -> /var/cache/lxc/**,
mount fstype=sysfs -> /var/cache/lxc/**,
mount options=(rw,bind),
}
我对以下几行有两个问题。
mount fstype=proc -> /var/cache/lxc/**,
为什么允许容器挂载/ proc是安全的?
为什么容器需要在/ var / cache / lxc下挂载/ proc?
答案 0 :(得分:1)
该配置文件允许您创建嵌套 LXC容器,一个在另一个内部。默认情况下,此选项处于禁用状态,因为它会绕过某些默认的cgroup限制(more info here)。
通常,它会更改apparmor规则以允许lxc在容器内重新安装某些系统资源(具有某些限制)。
如果您查看# create the dataframe
df <- structure(list(lon = c(-26.583, -26.25, -26.417, -67.25, -67.25,
-67.417), lat = c(-59.083, -58.417, -58.417, -55.917, -55.75,
-55.75), pre1 = c(105.4, 106.3, 106.6, 73.1, 68.7, 70.2)), .Names = c("lon",
"lat", "pre1"), row.names = c(NA, 6L), class = "data.frame")
# change from long to wide format
test <- reshape(df, timevar = "lat", idvar = "lon", direction = "wide")
# turn missing values into zeros
test[is.na(test)] <- 0
# use lon for rownames
rownames(test) <- test[, 1]
# drop the first column
test <- test[,c(2:5)]
# load stringr library
library(stringr)
# drop text from column names
colnames(test) <- str_replace(colnames(test), "pre1.", "")
# put rownames and colnames into increasing order
test <- test[order(rownames(test), decreasing = TRUE), order(colnames(test), decreasing = TRUE)]
test
# load the plotting library
library(fields)
# make the plot
image.plot(as.numeric(rownames(test)), as.numeric(colnames(test)), as.matrix(test))
,本节将介绍您可以编辑man lxc.container.conf
的安装方式的设置。我认为默认使用proc
(但我还没有证实这一点!)
proc:mixed
顺便说一句,如果你没有使用无特权的LXC,你应该这样做。的严重即可。它增加了一个额外的保护层,限制容器中 lxc.mount.auto
specify which standard kernel file systems should be
automatically mounted. This may dramatically simplify
the configuration. The file systems are:
· proc:mixed (or proc):
mount /proc as read-write, but
remount /proc/sys and
/proc/sysrq-trigger read-only
for security / container isolation purposes.
· proc:rw: mount
/proc as read-write
用户可以执行的操作(它实际上将其映射到容器外的非root用户)。这为root
提供了额外的保护层,以防万一滑倒了apparmour规则。
至于它使用/proc
的原因,我不知道。一个猜测是,它与/var/cache/lxc
没有冲突有关。如果您对推理感兴趣,查看源代码可能是一个很好的起点。