[SOLVED] Bind mount inside container

J

Julian J. M.

New Member
Aug 3, 2016
6
0
1
46
After migrating an openvz container to LXC, we are having some issues with the way ISPConfig mounts the log folder for each website.

Logs reside in /var/log/ispconfig/httpd/website/, but the website roots are in /var/www/whatever

ISPConfig uses bind mount on the log folders, and it's being denied by apparmor on the HN. I've seen some forum posts with a solution that consists on adding this lines to /etc/apparmor.d/lxc/lxc-default, inside the profile section:

Code: 
mount options=(rw, bind),

Some questions
1) Is it safe to do that? Any security implications?
2) Is there any way to create another profile and assign this particular container to that profile. Something line lxc-container-with-bind-mount

Here's the apparmor error in dmesg:
Code: 
[322902.652667] audit: type=1400 audit(1470506341.736:1153): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/var/www/clients/client1/web3/log/" pid=18543 comm="mount" srcname="/var/log/ispconfig/httpd/example.com/" flags="rw, bind"



Thanks,
Julian J. M.
 
Well, to answer my question, just in case someone else finds this.

Copy the default profile:

$ cp /etc/apparmor.d/lxc/lxc-default /etc/apparmor.d/lxc/lxc-default-ispconfig
Click to expand...

Then edit and add the mount options line:

Code: 
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-ispconfig flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,

  # allow bind mounts of anything in /var to anything in /var
  mount options=(rw, bind) /var/** -> /var/**,
}

Reload profiles (no need to reboot):

$ apparmor_parser -r /etc/apparmor.d/lxc-containers
Click to expand...

Then assign the profile to the container. Add the following to /etc/pve/lxc/VMID.conf:

Code: 
lxc.aa_profile = lxc-container-ispconfig

Stop and start the container and you're done.

Julian.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back