search

subutai-io / agent

Subutai Agent is a tool that provides CLI to control Subutai infrastructure, and is a daemon that receives and performs Management commands through secured channels
https://subutai.io
15 stars 15 forks source link

LXC 3 with Buster container certain services fails #1021

Open lbthomsen opened 4 years ago

lbthomsen commented 4 years ago

After upgrading to buster/lxc 3, some services fails when using buster-based containers - most noticeable:

apache2, mariadb-server (mysql) dovecot

lbthomsen commented 4 years ago

The reason is that the above services - in buster - creates a private namespace for temporary files as a security measure. This is not allowed by default for lxc containers.

The solution is to allow this in the apparmor profile that the containers are using.

It is really bad style in Debian packages to modify files that belong to another package, so I suggest the following:

  1. We create a NEW /etc/apparmor.d/lxc/lxc-default-subutai profile and install this along with agent
  2. We create a NEW /usr/share/lxc/config/subutai.conf which enables above apparmor profile (and fuse while we're at it).
  3. We create new base templates that uses our subutai.conf rather than debian.common.conf

This would be the most elegant approach.

lbthomsen commented 4 years ago

Suggested /etc/apparmor.d/lxc/lxc-default-subutai:

# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-subutai flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  #include <abstractions/lxc/start-container>
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
  mount options=(rw,bind),
  mount options=(rw,rbind),
  mount options=(rw,rshared),
  mount options=(ro,nosuid,noexec,remount,bind,strictatime),
}

Suggested /usr/share/lxc/config/subutai.conf:

# This derives from the global common config
lxc.include = /usr/share/lxc/config/common.conf

# Doesn't support consoles in /dev/lxc/
lxc.tty.dir =

# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
#lxc.apparmor.profile = unconfined
lxc.apparmor.profile = lxc-container-default-subutai

# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop
# devices below in lxc.cgroup.devices.allow.
#lxc.apparmor.profile = lxc-container-default-with-mounting
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file

# Extra cgroup device access
## rtc
lxc.cgroup.devices.allow = c 254:0 rm
## tun
lxc.cgroup.devices.allow = c 10:200 rwm
## hpet
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
lxc.cgroup.devices.allow = c 10:232 rwm
## To use loop devices, copy the following line to the container's
## configuration file (uncommented).
#lxc.cgroup.devices.allow = b 7:* rwm
akarasulu commented 4 years ago

Why did we not catch these on the upgrade? Obviously some services are still continuing to operate but I guess those were peers with fuse devices enabled?

lbthomsen commented 4 years ago

Only an issue with buster++ containers. And it is not even the OS as such but the packaging - buster apache and mariadb are using apparmor features not allowed in lxc containers by default.