[libvirt-users] How to deal with LXC cgroup access control with apparmor ?
Gao feng
gaofeng at cn.fujitsu.com
Mon Aug 26 08:06:01 UTC 2013
On 08/26/2013 03:42 PM, 止语 wrote:
> I am playing with libvirt 1.1.1 (lxc)
> when I was starting a LXC container, the process location of cgroup is pretty , just the root directory
> from the process. But I could tune the cgroup in a container as an user that logged, This is not accepted...
>
> I wonder how to restrict it with apparmor ,so one can not modify files in the cgroup fs, e.g the cpus or mem,
> if i restrict it with "deny /sys/fs/cgroup/** wrklx," in apparmor ,the container woulld not start up .
> "Permission denied", because that a process would mount the cgroup, it seems done by libvirt_lxc,
> Any way to restrict the cgroup in the container or just not mount cgroup in the container ??
>
> Any help would be appreciated, thanks .
>
The simplest way is to enable user namespace for libvirt.
the below is the configuration you should do to enable user namespace
[quote]
If you want to enable user namespace,set the idmap element. the uid and gid elements have three attributes:
start
First user id in container.
target
The first user id in container will be mapped to this target user id in host.
count
How many users in container being allowed to map to host's user.
<idmap>
<uid start='0' target='1000' count='10'/>
<gid start='0' target='1000' count='10'/>
</idmap>
[/quote]
More information about the libvirt-users
mailing list