* [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience @ 2020-07-22 11:05 Stoiko Ivanov 2020-07-22 11:05 ` [pve-devel] [PATCH lxc 1/2] update lxc to include fixes for cgroupv2 setups Stoiko Ivanov ` (2 more replies) 0 siblings, 3 replies; 8+ messages in thread From: Stoiko Ivanov @ 2020-07-22 11:05 UTC (permalink / raw) To: pve-devel This patchset addresses 2 minor inconveniences I ran into, while running my host with 'systemd.unified_cgroup_hierarchy=1': * apparmor mount denies for '/proc/sys/kernel/random/boot_id' (this happens irrespective of the cgroup-layout * having to add `lxc.init.cmd: /lib/systemd/systemd systemd.unified_cgroup_hierarchy=1` to all my container configs (for debian and arch containers at least alpine runs without issues) - see [0] for a discussion of the topic While investigating this I noticed that the fixes for both issues were already on upstream/master (with one small other fix in between) - so instead of cherry-picking both patches I fast-forwarded to the last needed commit. Glad to resend with the patches cherry-picked and added to our patchqueue. I would probably submit the apparmor fix upstream (after a quick check by another set of eyes :) [0] https://github.com/lxc/lxc/issues/3183 Stoiko Ivanov (2): update lxc to include fixes for cgroupv2 setups apparmor: add rule for allowing remount of boot_id ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++++++++++++++++++ debian/patches/series | 1 + lxc | 2 +- 3 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch -- 2.20.1 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [pve-devel] [PATCH lxc 1/2] update lxc to include fixes for cgroupv2 setups 2020-07-22 11:05 [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Stoiko Ivanov @ 2020-07-22 11:05 ` Stoiko Ivanov 2020-07-22 11:05 ` [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id Stoiko Ivanov 2020-09-09 19:06 ` [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Thomas Lamprecht 2 siblings, 0 replies; 8+ messages in thread From: Stoiko Ivanov @ 2020-07-22 11:05 UTC (permalink / raw) To: pve-devel This commit fast-forwards 7 commits from upstream/master. The first commit (partially) fixes a missing apparmor rule for /proc/sys/kernel/random/boot_id) The last commit fixes running containers in pure cgroupv2 environments (by premounting cgroup2). It contains one other fix for a netlink bug, which I haven't seen in our support channels, thus assume limited potential for regressions. Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> --- lxc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lxc b/lxc index 538337e..4547e73 160000 --- a/lxc +++ b/lxc @@ -1 +1 @@ -Subproject commit 538337ee9dc5ca385cc8d9b6faaac1575c014a1b +Subproject commit 4547e73e3e1c7f7a9fc88da6ac3276d99df1c5ec -- 2.20.1 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id 2020-07-22 11:05 [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Stoiko Ivanov 2020-07-22 11:05 ` [pve-devel] [PATCH lxc 1/2] update lxc to include fixes for cgroupv2 setups Stoiko Ivanov @ 2020-07-22 11:05 ` Stoiko Ivanov 2020-07-22 11:51 ` Thomas Lamprecht 2020-09-09 19:06 ` [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Thomas Lamprecht 2 siblings, 1 reply; 8+ messages in thread From: Stoiko Ivanov @ 2020-07-22 11:05 UTC (permalink / raw) To: pve-devel commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially fixes the apparmor deny for mounting boot_id (used for example for identifying different boots with `journalctl`) inside the container. Tested by editing the profile and replacing it disregarding the cache: `apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start` Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> --- ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 27 insertions(+) create mode 100644 debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch diff --git a/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch new file mode 100644 index 0000000..fefc586 --- /dev/null +++ b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch @@ -0,0 +1,26 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Stoiko Ivanov <s.ivanov@proxmox.com> +Date: Wed, 22 Jul 2020 12:17:24 +0200 +Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id + +The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all +necessary mount calls for /proc/sys/kernel/random/boot_id +(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing. + +Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> +--- + config/apparmor/abstractions/start-container.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in +index 9998f1121..9f64c2727 100644 +--- a/config/apparmor/abstractions/start-container.in ++++ b/config/apparmor/abstractions/start-container.in +@@ -22,6 +22,7 @@ + mount -> /var/lib/lxc/{**,}, + + mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id, ++ mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id, + + # required for some pre-mount hooks + mount fstype=overlayfs, diff --git a/debian/patches/series b/debian/patches/series index ee20ef5..f588081 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch pve/0003-PVE-Config-attach-always-use-getent.patch +pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch -- 2.20.1 ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id 2020-07-22 11:05 ` [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id Stoiko Ivanov @ 2020-07-22 11:51 ` Thomas Lamprecht 2020-07-22 11:59 ` Stoiko Ivanov 0 siblings, 1 reply; 8+ messages in thread From: Thomas Lamprecht @ 2020-07-22 11:51 UTC (permalink / raw) To: Proxmox VE development discussion, Stoiko Ivanov On 22.07.20 13:05, Stoiko Ivanov wrote: > commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially > fixes the apparmor deny for mounting boot_id (used for example for identifying > different boots with `journalctl`) inside the container. > > Tested by editing the profile and replacing it disregarding the cache: > `apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start` > was this proposed to upstream as pull request? Did not found it on the LXC GitHub page. > Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> > --- > ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++++++++++++++++++ > debian/patches/series | 1 + > 2 files changed, 27 insertions(+) > create mode 100644 debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch > > diff --git a/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch > new file mode 100644 > index 0000000..fefc586 > --- /dev/null > +++ b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch > @@ -0,0 +1,26 @@ > +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 > +From: Stoiko Ivanov <s.ivanov@proxmox.com> > +Date: Wed, 22 Jul 2020 12:17:24 +0200 > +Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id > + > +The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all > +necessary mount calls for /proc/sys/kernel/random/boot_id > +(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing. > + > +Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> > +--- > + config/apparmor/abstractions/start-container.in | 1 + > + 1 file changed, 1 insertion(+) > + > +diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in > +index 9998f1121..9f64c2727 100644 > +--- a/config/apparmor/abstractions/start-container.in > ++++ b/config/apparmor/abstractions/start-container.in > +@@ -22,6 +22,7 @@ > + mount -> /var/lib/lxc/{**,}, > + > + mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id, > ++ mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id, > + > + # required for some pre-mount hooks > + mount fstype=overlayfs, > diff --git a/debian/patches/series b/debian/patches/series > index ee20ef5..f588081 100644 > --- a/debian/patches/series > +++ b/debian/patches/series > @@ -1,3 +1,4 @@ > pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch > pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch > pve/0003-PVE-Config-attach-always-use-getent.patch > +pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id 2020-07-22 11:51 ` Thomas Lamprecht @ 2020-07-22 11:59 ` Stoiko Ivanov 2020-07-22 12:09 ` Thomas Lamprecht 0 siblings, 1 reply; 8+ messages in thread From: Stoiko Ivanov @ 2020-07-22 11:59 UTC (permalink / raw) To: Thomas Lamprecht; +Cc: Proxmox VE development discussion On Wed, 22 Jul 2020 13:51:19 +0200 Thomas Lamprecht <t.lamprecht@proxmox.com> wrote: > On 22.07.20 13:05, Stoiko Ivanov wrote: > > commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially > > fixes the apparmor deny for mounting boot_id (used for example for identifying > > different boots with `journalctl`) inside the container. > > > > Tested by editing the profile and replacing it disregarding the cache: > > `apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start` > > > > was this proposed to upstream as pull request? Did not found it on the > LXC GitHub page. sorry my phrasing in the cover-letter was misleading: I want to make a pull request upstream for this patch, after somebody else sanity-checks it -> if it looks ok to you - I'll open the PR. > > > Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> > > --- > > ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++++++++++++++++++ > > debian/patches/series | 1 + > > 2 files changed, 27 insertions(+) > > create mode 100644 debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch > > > > diff --git a/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch > > new file mode 100644 > > index 0000000..fefc586 > > --- /dev/null > > +++ b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch > > @@ -0,0 +1,26 @@ > > +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 > > +From: Stoiko Ivanov <s.ivanov@proxmox.com> > > +Date: Wed, 22 Jul 2020 12:17:24 +0200 > > +Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id > > + > > +The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all > > +necessary mount calls for /proc/sys/kernel/random/boot_id > > +(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing. > > + > > +Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> > > +--- > > + config/apparmor/abstractions/start-container.in | 1 + > > + 1 file changed, 1 insertion(+) > > + > > +diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in > > +index 9998f1121..9f64c2727 100644 > > +--- a/config/apparmor/abstractions/start-container.in > > ++++ b/config/apparmor/abstractions/start-container.in > > +@@ -22,6 +22,7 @@ > > + mount -> /var/lib/lxc/{**,}, > > + > > + mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id, > > ++ mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id, > > + > > + # required for some pre-mount hooks > > + mount fstype=overlayfs, > > diff --git a/debian/patches/series b/debian/patches/series > > index ee20ef5..f588081 100644 > > --- a/debian/patches/series > > +++ b/debian/patches/series > > @@ -1,3 +1,4 @@ > > pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch > > pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch > > pve/0003-PVE-Config-attach-always-use-getent.patch > > +pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch > > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id 2020-07-22 11:59 ` Stoiko Ivanov @ 2020-07-22 12:09 ` Thomas Lamprecht 2020-07-22 12:15 ` Stoiko Ivanov 0 siblings, 1 reply; 8+ messages in thread From: Thomas Lamprecht @ 2020-07-22 12:09 UTC (permalink / raw) To: Stoiko Ivanov; +Cc: Proxmox VE development discussion On 22.07.20 13:59, Stoiko Ivanov wrote: > On Wed, 22 Jul 2020 13:51:19 +0200 > Thomas Lamprecht <t.lamprecht@proxmox.com> wrote: > >> On 22.07.20 13:05, Stoiko Ivanov wrote: >>> commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially >>> fixes the apparmor deny for mounting boot_id (used for example for identifying >>> different boots with `journalctl`) inside the container. >>> >>> Tested by editing the profile and replacing it disregarding the cache: >>> `apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start` >>> >> >> was this proposed to upstream as pull request? Did not found it on the >> LXC GitHub page. > > sorry my phrasing in the cover-letter was misleading: I want to make a > pull request upstream for this patch, after somebody else sanity-checks it > -> if it looks ok to you - I'll open the PR. > Haha, and I wanted the reverse: get upstream to review it with their in-depth knowledge so that I can rely on that check ;-P > >> >>> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> >>> --- >>> ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++++++++++++++++++ >>> debian/patches/series | 1 + >>> 2 files changed, 27 insertions(+) >>> create mode 100644 debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch >>> >>> diff --git a/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch >>> new file mode 100644 >>> index 0000000..fefc586 >>> --- /dev/null >>> +++ b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch >>> @@ -0,0 +1,26 @@ >>> +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 >>> +From: Stoiko Ivanov <s.ivanov@proxmox.com> >>> +Date: Wed, 22 Jul 2020 12:17:24 +0200 >>> +Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id >>> + >>> +The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all >>> +necessary mount calls for /proc/sys/kernel/random/boot_id >>> +(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing. >>> + >>> +Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> >>> +--- >>> + config/apparmor/abstractions/start-container.in | 1 + >>> + 1 file changed, 1 insertion(+) >>> + >>> +diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in >>> +index 9998f1121..9f64c2727 100644 >>> +--- a/config/apparmor/abstractions/start-container.in >>> ++++ b/config/apparmor/abstractions/start-container.in >>> +@@ -22,6 +22,7 @@ >>> + mount -> /var/lib/lxc/{**,}, >>> + >>> + mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id, >>> ++ mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id, >>> + >>> + # required for some pre-mount hooks >>> + mount fstype=overlayfs, >>> diff --git a/debian/patches/series b/debian/patches/series >>> index ee20ef5..f588081 100644 >>> --- a/debian/patches/series >>> +++ b/debian/patches/series >>> @@ -1,3 +1,4 @@ >>> pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch >>> pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch >>> pve/0003-PVE-Config-attach-always-use-getent.patch >>> +pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch >>> >> > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id 2020-07-22 12:09 ` Thomas Lamprecht @ 2020-07-22 12:15 ` Stoiko Ivanov 0 siblings, 0 replies; 8+ messages in thread From: Stoiko Ivanov @ 2020-07-22 12:15 UTC (permalink / raw) To: Thomas Lamprecht; +Cc: Proxmox VE development discussion On Wed, 22 Jul 2020 14:09:09 +0200 Thomas Lamprecht <t.lamprecht@proxmox.com> wrote: > On 22.07.20 13:59, Stoiko Ivanov wrote: > > On Wed, 22 Jul 2020 13:51:19 +0200 > > Thomas Lamprecht <t.lamprecht@proxmox.com> wrote: > > > >> On 22.07.20 13:05, Stoiko Ivanov wrote: > >>> commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially > >>> fixes the apparmor deny for mounting boot_id (used for example for identifying > >>> different boots with `journalctl`) inside the container. > >>> > >>> Tested by editing the profile and replacing it disregarding the cache: > >>> `apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start` > >>> > >> > >> was this proposed to upstream as pull request? Did not found it on the > >> LXC GitHub page. > > > > sorry my phrasing in the cover-letter was misleading: I want to make a > > pull request upstream for this patch, after somebody else sanity-checks it > > -> if it looks ok to you - I'll open the PR. > > > > Haha, and I wanted the reverse: get upstream to review it with their > in-depth knowledge so that I can rely on that check ;-P aye - makes sense - https://github.com/lxc/lxc/pull/3495 :) > > > > >> > >>> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> > >>> --- > >>> ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++++++++++++++++++ > >>> debian/patches/series | 1 + > >>> 2 files changed, 27 insertions(+) > >>> create mode 100644 debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch > >>> > >>> diff --git a/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch > >>> new file mode 100644 > >>> index 0000000..fefc586 > >>> --- /dev/null > >>> +++ b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch > >>> @@ -0,0 +1,26 @@ > >>> +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 > >>> +From: Stoiko Ivanov <s.ivanov@proxmox.com> > >>> +Date: Wed, 22 Jul 2020 12:17:24 +0200 > >>> +Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id > >>> + > >>> +The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all > >>> +necessary mount calls for /proc/sys/kernel/random/boot_id > >>> +(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing. > >>> + > >>> +Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> > >>> +--- > >>> + config/apparmor/abstractions/start-container.in | 1 + > >>> + 1 file changed, 1 insertion(+) > >>> + > >>> +diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in > >>> +index 9998f1121..9f64c2727 100644 > >>> +--- a/config/apparmor/abstractions/start-container.in > >>> ++++ b/config/apparmor/abstractions/start-container.in > >>> +@@ -22,6 +22,7 @@ > >>> + mount -> /var/lib/lxc/{**,}, > >>> + > >>> + mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id, > >>> ++ mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id, > >>> + > >>> + # required for some pre-mount hooks > >>> + mount fstype=overlayfs, > >>> diff --git a/debian/patches/series b/debian/patches/series > >>> index ee20ef5..f588081 100644 > >>> --- a/debian/patches/series > >>> +++ b/debian/patches/series > >>> @@ -1,3 +1,4 @@ > >>> pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch > >>> pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch > >>> pve/0003-PVE-Config-attach-always-use-getent.patch > >>> +pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch > >>> > >> > > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience 2020-07-22 11:05 [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Stoiko Ivanov 2020-07-22 11:05 ` [pve-devel] [PATCH lxc 1/2] update lxc to include fixes for cgroupv2 setups Stoiko Ivanov 2020-07-22 11:05 ` [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id Stoiko Ivanov @ 2020-09-09 19:06 ` Thomas Lamprecht 2 siblings, 0 replies; 8+ messages in thread From: Thomas Lamprecht @ 2020-09-09 19:06 UTC (permalink / raw) To: Proxmox VE development discussion, Stoiko Ivanov On 22.07.20 13:05, Stoiko Ivanov wrote: > This patchset addresses 2 minor inconveniences I ran into, while running my > host with 'systemd.unified_cgroup_hierarchy=1': > > * apparmor mount denies for '/proc/sys/kernel/random/boot_id' (this happens > irrespective of the cgroup-layout > * having to add > `lxc.init.cmd: /lib/systemd/systemd systemd.unified_cgroup_hierarchy=1` > to all my container configs (for debian and arch containers at least > alpine runs without issues) - see [0] for a discussion of the topic > > While investigating this I noticed that the fixes for both issues were already > on upstream/master (with one small other fix in between) - so instead of > cherry-picking both patches I fast-forwarded to the last needed commit. > Glad to resend with the patches cherry-picked and added to our patchqueue. > > I would probably submit the apparmor fix upstream (after a quick check by > another set of eyes :) > > [0] https://github.com/lxc/lxc/issues/3183 > > Stoiko Ivanov (2): > update lxc to include fixes for cgroupv2 setups > apparmor: add rule for allowing remount of boot_id > > ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++++++++++++++++++ > debian/patches/series | 1 + > lxc | 2 +- > 3 files changed, 28 insertions(+), 1 deletion(-) > create mode 100644 debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch > 2/2 got merged into upstream and is available with 4.0.4, could you see if we can seamlessly update from currently packaged 4.0.3 to 4.0.4? ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-09-09 19:07 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-07-22 11:05 [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Stoiko Ivanov 2020-07-22 11:05 ` [pve-devel] [PATCH lxc 1/2] update lxc to include fixes for cgroupv2 setups Stoiko Ivanov 2020-07-22 11:05 ` [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id Stoiko Ivanov 2020-07-22 11:51 ` Thomas Lamprecht 2020-07-22 11:59 ` Stoiko Ivanov 2020-07-22 12:09 ` Thomas Lamprecht 2020-07-22 12:15 ` Stoiko Ivanov 2020-09-09 19:06 ` [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Thomas Lamprecht
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.Service provided by Proxmox Server Solutions GmbH | Privacy | Legal