I have a container that I use to maintain and host my personal repository of Arch packages. I build those in systemd-nspawn containers so I have nesting enabled.
This setup used to work until a few weeks ago when a SystemD update rolled around.
After some investigation I found the culprit to be AppArmor (again!) which blocks devpts mounts for LXC.
Now ideally I'd like to allow for devpts mounts if the newinstance option is present, but I couldn't find a way to specify this in the AppArmor policy. It allows specifying exact matches of options (exactly these options) or super-sets of options (any of these options, but not others). Requiring a certain option and ignoring others doesn't seem to be an option.
If that is indeed impossible I'd like to unconfine this container from AppArmor. Setting the respective option in
had no effect as the file was re-written as soon as I restarted the container. Any hints on this approach?
Thanks in advance.
This setup used to work until a few weeks ago when a SystemD update rolled around.
After some investigation I found the culprit to be AppArmor (again!) which blocks devpts mounts for LXC.
Now ideally I'd like to allow for devpts mounts if the newinstance option is present, but I couldn't find a way to specify this in the AppArmor policy. It allows specifying exact matches of options (exactly these options) or super-sets of options (any of these options, but not others). Requiring a certain option and ignoring others doesn't seem to be an option.
If that is indeed impossible I'd like to unconfine this container from AppArmor. Setting the respective option in
Code:
/var/lib/lxc/<id>/configThanks in advance.
