Changes in start-container

Changes in start-container http://src.iws.cs.ovgu.de/source/rss/lxc/config/apparmor/abstractions/start-container en Copyright 2005 Java AppArmor: add make-rslave to usr.bin.lxc-start The profile already contains mount options=(rw, make-slave) -> **, Which allows going through all mountpoints with make-slave, so it seems to make sense to also allow the directly recursive variant with "make-rslave". Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> /lxc/config/apparmor/abstractions/start-container - 05352fc9304f465b9322e22d19f62641d82dc6ad Wolfgang Bumiller <w.bumiller@proxmox.com> apparmor: support lxc.ttydir when bind-mounting ptys Because we now create the ttys from inside the container, we had to add an apparmor rule for start-container to bind-mount /dev/pts/** -> /dev/tty*/. However that's not sufficient if the container sets lxc.ttydir, in which case we need to support mounting onto files in subdirs of /dev. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com> /lxc/config/apparmor/abstractions/start-container - 1b0c17462ad4f9a05ea6e5ced5e444152ec7a193 Serge Hallyn <serge.hallyn@ubuntu.com> create lxc.tty ptys from container process Lxc has always created the ptys for use by console and ttys early on from the monitor process. This has some advantages, but also has disadvantages, namely (1) container ptys counting against the max ptys for the host, and (2) not having a /dev/pts/N in the container to pass to getty. (2) was not a problem for us historically because we bind-mounted the host's /dev/pts/N onto a /dev/ttyN in the container. However, systemd hardocdes a check for container_ttys that the path have 'pts/' in it. If it were only for (2) I'd have opted for a systemd patch to check the device major number, but (1) made it worth moving the openpty to the container namespace. So this patch moves the tty creation into the task which becomes the container init. It then passes the fds for the opened ptys back to the monitor over a unix socketpair (for use by lxc-console). The /dev/console is still created in the monitor process, so that it can for instance be used by lxc.logfd. So now if you have a foreground container with lxc.tty = 4, you should end up with one host /dev/pts entry per container rather than 5. And lxc-console now works with systemd containers. Note that if the container init mounts its own devpts over the one mounted by lxc, the tty /dev/pts/n will be hidden. This is ok since it's only systemd that needs it, and systemd won't do that. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com> /lxc/config/apparmor/abstractions/start-container - e8bd4e430bf76ed4737563476ce685b2425412ec Serge Hallyn <serge.hallyn@ubuntu.com> apparmor: Fix slave bind mounts The permission to make a mount "slave" is spelt "make-slave", not "slave", see https://launchpad.net/bugs/1401619. Also, we need to make all mounts slave, not just the root dir. https://launchpad.net/bugs/1350947 /lxc/config/apparmor/abstractions/start-container - 64b4c7a34b5c0407f3bcddc83f7c061dadb583bb Martin Pitt <martin.pitt@ubuntu.com> apparmor: Allow slave bind mounts Without this, if the system uses shared subtrees by default (like systemd), you get a large stream of lxc-start: Permission denied - Failed to make /<mountpoint> rslave lxc-start: Continuing... with apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=17284 comm="lxc-start" flags="rw, slave" and eventual failure plus a lot of leftover mounts in the host. https://launchpad.net/bugs/1325468 /lxc/config/apparmor/abstractions/start-container - 7987eddb9f916b67110fb2d04470bed10022f67f Martin Pitt <martin.pitt@ubuntu.com> apparmor: Use more generic allow rule for pivot Recent fixes in the apparmor kernel code is now making at least the CI environment and quite possibly some others fail due to an invalid path in the pivot_root stanza. So update both lines to allow a more generic pivot_root call for anything in LXC's work directory. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> /lxc/config/apparmor/abstractions/start-container - 524505b9714beac89f4952296cefa9f997168b98 Stéphane Graber <stgraber@ubuntu.com> apparmor: Update profiles for current upstream parser Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> /lxc/config/apparmor/abstractions/start-container - 2a31251cc5f428f96ee3d322a78556310a681e14 Stéphane Graber <stgraber@ubuntu.com> apparmor: Add profiles Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> /lxc/config/apparmor/abstractions/start-container - 8da250dad4b11c4983031742a83fb8f358044fe0 Stéphane Graber <stgraber@ubuntu.com>