[SOLVED] Bind mount inside container

J

Julian J. M.

Renowned Member
Aug 3, 2016
6
0
66
48
After migrating an openvz container to LXC, we are having some issues with the way ISPConfig mounts the log folder for each website.

Logs reside in /var/log/ispconfig/httpd/website/, but the website roots are in /var/www/whatever

ISPConfig uses bind mount on the log folders, and it's being denied by apparmor on the HN. I've seen some forum posts with a solution that consists on adding this lines to /etc/apparmor.d/lxc/lxc-default, inside the profile section:

Code: 
mount options=(rw, bind),

Some questions
1) Is it safe to do that? Any security implications?
2) Is there any way to create another profile and assign this particular container to that profile. Something line lxc-container-with-bind-mount

Here's the apparmor error in dmesg:
Code: 
[322902.652667] audit: type=1400 audit(1470506341.736:1153): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/var/www/clients/client1/web3/log/" pid=18543 comm="mount" srcname="/var/log/ispconfig/httpd/example.com/" flags="rw, bind"



Thanks,
Julian J. M.
 
Well, to answer my question, just in case someone else finds this.

Copy the default profile:

$ cp /etc/apparmor.d/lxc/lxc-default /etc/apparmor.d/lxc/lxc-default-ispconfig
Click to expand...

Then edit and add the mount options line:

Code: 
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-ispconfig flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,

  # allow bind mounts of anything in /var to anything in /var
  mount options=(rw, bind) /var/** -> /var/**,
}

Reload profiles (no need to reboot):

$ apparmor_parser -r /etc/apparmor.d/lxc-containers
Click to expand...

Then assign the profile to the container. Add the following to /etc/pve/lxc/VMID.conf:

Code: 
lxc.aa_profile = lxc-container-ispconfig

Stop and start the container and you're done.

Julian.
 
You must log in or register to reply here.
Top Bottom