* [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience
@ 2020-07-22 11:05 Stoiko Ivanov
2020-07-22 11:05 ` [pve-devel] [PATCH lxc 1/2] update lxc to include fixes for cgroupv2 setups Stoiko Ivanov
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Stoiko Ivanov @ 2020-07-22 11:05 UTC (permalink / raw)
To: pve-devel
This patchset addresses 2 minor inconveniences I ran into, while running my
host with 'systemd.unified_cgroup_hierarchy=1':
* apparmor mount denies for '/proc/sys/kernel/random/boot_id' (this happens
irrespective of the cgroup-layout
* having to add
`lxc.init.cmd: /lib/systemd/systemd systemd.unified_cgroup_hierarchy=1`
to all my container configs (for debian and arch containers at least
alpine runs without issues) - see [0] for a discussion of the topic
While investigating this I noticed that the fixes for both issues were already
on upstream/master (with one small other fix in between) - so instead of
cherry-picking both patches I fast-forwarded to the last needed commit.
Glad to resend with the patches cherry-picked and added to our patchqueue.
I would probably submit the apparmor fix upstream (after a quick check by
another set of eyes :)
[0] https://github.com/lxc/lxc/issues/3183
Stoiko Ivanov (2):
update lxc to include fixes for cgroupv2 setups
apparmor: add rule for allowing remount of boot_id
...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++++++++++++++++++
debian/patches/series | 1 +
lxc | 2 +-
3 files changed, 28 insertions(+), 1 deletion(-)
create mode 100644 debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
--
2.20.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* [pve-devel] [PATCH lxc 1/2] update lxc to include fixes for cgroupv2 setups
2020-07-22 11:05 [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Stoiko Ivanov
@ 2020-07-22 11:05 ` Stoiko Ivanov
2020-07-22 11:05 ` [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id Stoiko Ivanov
2020-09-09 19:06 ` [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Thomas Lamprecht
2 siblings, 0 replies; 8+ messages in thread
From: Stoiko Ivanov @ 2020-07-22 11:05 UTC (permalink / raw)
To: pve-devel
This commit fast-forwards 7 commits from upstream/master. The first commit
(partially) fixes a missing apparmor rule for /proc/sys/kernel/random/boot_id)
The last commit fixes running containers in pure cgroupv2 environments (by
premounting cgroup2).
It contains one other fix for a netlink bug, which I haven't seen in our
support channels, thus assume limited potential for regressions.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
lxc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lxc b/lxc
index 538337e..4547e73 160000
--- a/lxc
+++ b/lxc
@@ -1 +1 @@
-Subproject commit 538337ee9dc5ca385cc8d9b6faaac1575c014a1b
+Subproject commit 4547e73e3e1c7f7a9fc88da6ac3276d99df1c5ec
--
2.20.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id
2020-07-22 11:05 [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Stoiko Ivanov
2020-07-22 11:05 ` [pve-devel] [PATCH lxc 1/2] update lxc to include fixes for cgroupv2 setups Stoiko Ivanov
@ 2020-07-22 11:05 ` Stoiko Ivanov
2020-07-22 11:51 ` Thomas Lamprecht
2020-09-09 19:06 ` [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Thomas Lamprecht
2 siblings, 1 reply; 8+ messages in thread
From: Stoiko Ivanov @ 2020-07-22 11:05 UTC (permalink / raw)
To: pve-devel
commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially
fixes the apparmor deny for mounting boot_id (used for example for identifying
different boots with `journalctl`) inside the container.
Tested by editing the profile and replacing it disregarding the cache:
`apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start`
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 27 insertions(+)
create mode 100644 debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
diff --git a/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
new file mode 100644
index 0000000..fefc586
--- /dev/null
+++ b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
@@ -0,0 +1,26 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stoiko Ivanov <s.ivanov@proxmox.com>
+Date: Wed, 22 Jul 2020 12:17:24 +0200
+Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id
+
+The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
+necessary mount calls for /proc/sys/kernel/random/boot_id
+(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.
+
+Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
+---
+ config/apparmor/abstractions/start-container.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in
+index 9998f1121..9f64c2727 100644
+--- a/config/apparmor/abstractions/start-container.in
++++ b/config/apparmor/abstractions/start-container.in
+@@ -22,6 +22,7 @@
+ mount -> /var/lib/lxc/{**,},
+
+ mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
++ mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
+
+ # required for some pre-mount hooks
+ mount fstype=overlayfs,
diff --git a/debian/patches/series b/debian/patches/series
index ee20ef5..f588081 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
pve/0003-PVE-Config-attach-always-use-getent.patch
+pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
--
2.20.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id
2020-07-22 11:05 ` [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id Stoiko Ivanov
@ 2020-07-22 11:51 ` Thomas Lamprecht
2020-07-22 11:59 ` Stoiko Ivanov
0 siblings, 1 reply; 8+ messages in thread
From: Thomas Lamprecht @ 2020-07-22 11:51 UTC (permalink / raw)
To: Proxmox VE development discussion, Stoiko Ivanov
On 22.07.20 13:05, Stoiko Ivanov wrote:
> commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially
> fixes the apparmor deny for mounting boot_id (used for example for identifying
> different boots with `journalctl`) inside the container.
>
> Tested by editing the profile and replacing it disregarding the cache:
> `apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start`
>
was this proposed to upstream as pull request? Did not found it on the
LXC GitHub page.
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++++++++++++++++++
> debian/patches/series | 1 +
> 2 files changed, 27 insertions(+)
> create mode 100644 debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
>
> diff --git a/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> new file mode 100644
> index 0000000..fefc586
> --- /dev/null
> +++ b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> @@ -0,0 +1,26 @@
> +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
> +From: Stoiko Ivanov <s.ivanov@proxmox.com>
> +Date: Wed, 22 Jul 2020 12:17:24 +0200
> +Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id
> +
> +The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
> +necessary mount calls for /proc/sys/kernel/random/boot_id
> +(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.
> +
> +Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> +---
> + config/apparmor/abstractions/start-container.in | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in
> +index 9998f1121..9f64c2727 100644
> +--- a/config/apparmor/abstractions/start-container.in
> ++++ b/config/apparmor/abstractions/start-container.in
> +@@ -22,6 +22,7 @@
> + mount -> /var/lib/lxc/{**,},
> +
> + mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
> ++ mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
> +
> + # required for some pre-mount hooks
> + mount fstype=overlayfs,
> diff --git a/debian/patches/series b/debian/patches/series
> index ee20ef5..f588081 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -1,3 +1,4 @@
> pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
> pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
> pve/0003-PVE-Config-attach-always-use-getent.patch
> +pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id
2020-07-22 11:51 ` Thomas Lamprecht
@ 2020-07-22 11:59 ` Stoiko Ivanov
2020-07-22 12:09 ` Thomas Lamprecht
0 siblings, 1 reply; 8+ messages in thread
From: Stoiko Ivanov @ 2020-07-22 11:59 UTC (permalink / raw)
To: Thomas Lamprecht; +Cc: Proxmox VE development discussion
On Wed, 22 Jul 2020 13:51:19 +0200
Thomas Lamprecht <t.lamprecht@proxmox.com> wrote:
> On 22.07.20 13:05, Stoiko Ivanov wrote:
> > commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially
> > fixes the apparmor deny for mounting boot_id (used for example for identifying
> > different boots with `journalctl`) inside the container.
> >
> > Tested by editing the profile and replacing it disregarding the cache:
> > `apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start`
> >
>
> was this proposed to upstream as pull request? Did not found it on the
> LXC GitHub page.
sorry my phrasing in the cover-letter was misleading: I want to make a
pull request upstream for this patch, after somebody else sanity-checks it
-> if it looks ok to you - I'll open the PR.
>
> > Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> > ---
> > ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++++++++++++++++++
> > debian/patches/series | 1 +
> > 2 files changed, 27 insertions(+)
> > create mode 100644 debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> >
> > diff --git a/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> > new file mode 100644
> > index 0000000..fefc586
> > --- /dev/null
> > +++ b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> > @@ -0,0 +1,26 @@
> > +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
> > +From: Stoiko Ivanov <s.ivanov@proxmox.com>
> > +Date: Wed, 22 Jul 2020 12:17:24 +0200
> > +Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id
> > +
> > +The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
> > +necessary mount calls for /proc/sys/kernel/random/boot_id
> > +(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.
> > +
> > +Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> > +---
> > + config/apparmor/abstractions/start-container.in | 1 +
> > + 1 file changed, 1 insertion(+)
> > +
> > +diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in
> > +index 9998f1121..9f64c2727 100644
> > +--- a/config/apparmor/abstractions/start-container.in
> > ++++ b/config/apparmor/abstractions/start-container.in
> > +@@ -22,6 +22,7 @@
> > + mount -> /var/lib/lxc/{**,},
> > +
> > + mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
> > ++ mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
> > +
> > + # required for some pre-mount hooks
> > + mount fstype=overlayfs,
> > diff --git a/debian/patches/series b/debian/patches/series
> > index ee20ef5..f588081 100644
> > --- a/debian/patches/series
> > +++ b/debian/patches/series
> > @@ -1,3 +1,4 @@
> > pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
> > pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
> > pve/0003-PVE-Config-attach-always-use-getent.patch
> > +pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> >
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id
2020-07-22 11:59 ` Stoiko Ivanov
@ 2020-07-22 12:09 ` Thomas Lamprecht
2020-07-22 12:15 ` Stoiko Ivanov
0 siblings, 1 reply; 8+ messages in thread
From: Thomas Lamprecht @ 2020-07-22 12:09 UTC (permalink / raw)
To: Stoiko Ivanov; +Cc: Proxmox VE development discussion
On 22.07.20 13:59, Stoiko Ivanov wrote:
> On Wed, 22 Jul 2020 13:51:19 +0200
> Thomas Lamprecht <t.lamprecht@proxmox.com> wrote:
>
>> On 22.07.20 13:05, Stoiko Ivanov wrote:
>>> commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially
>>> fixes the apparmor deny for mounting boot_id (used for example for identifying
>>> different boots with `journalctl`) inside the container.
>>>
>>> Tested by editing the profile and replacing it disregarding the cache:
>>> `apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start`
>>>
>>
>> was this proposed to upstream as pull request? Did not found it on the
>> LXC GitHub page.
>
> sorry my phrasing in the cover-letter was misleading: I want to make a
> pull request upstream for this patch, after somebody else sanity-checks it
> -> if it looks ok to you - I'll open the PR.
>
Haha, and I wanted the reverse: get upstream to review it with their
in-depth knowledge so that I can rely on that check ;-P
>
>>
>>> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
>>> ---
>>> ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++++++++++++++++++
>>> debian/patches/series | 1 +
>>> 2 files changed, 27 insertions(+)
>>> create mode 100644 debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
>>>
>>> diff --git a/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
>>> new file mode 100644
>>> index 0000000..fefc586
>>> --- /dev/null
>>> +++ b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
>>> @@ -0,0 +1,26 @@
>>> +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
>>> +From: Stoiko Ivanov <s.ivanov@proxmox.com>
>>> +Date: Wed, 22 Jul 2020 12:17:24 +0200
>>> +Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id
>>> +
>>> +The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
>>> +necessary mount calls for /proc/sys/kernel/random/boot_id
>>> +(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.
>>> +
>>> +Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
>>> +---
>>> + config/apparmor/abstractions/start-container.in | 1 +
>>> + 1 file changed, 1 insertion(+)
>>> +
>>> +diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in
>>> +index 9998f1121..9f64c2727 100644
>>> +--- a/config/apparmor/abstractions/start-container.in
>>> ++++ b/config/apparmor/abstractions/start-container.in
>>> +@@ -22,6 +22,7 @@
>>> + mount -> /var/lib/lxc/{**,},
>>> +
>>> + mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
>>> ++ mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
>>> +
>>> + # required for some pre-mount hooks
>>> + mount fstype=overlayfs,
>>> diff --git a/debian/patches/series b/debian/patches/series
>>> index ee20ef5..f588081 100644
>>> --- a/debian/patches/series
>>> +++ b/debian/patches/series
>>> @@ -1,3 +1,4 @@
>>> pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
>>> pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
>>> pve/0003-PVE-Config-attach-always-use-getent.patch
>>> +pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
>>>
>>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id
2020-07-22 12:09 ` Thomas Lamprecht
@ 2020-07-22 12:15 ` Stoiko Ivanov
0 siblings, 0 replies; 8+ messages in thread
From: Stoiko Ivanov @ 2020-07-22 12:15 UTC (permalink / raw)
To: Thomas Lamprecht; +Cc: Proxmox VE development discussion
On Wed, 22 Jul 2020 14:09:09 +0200
Thomas Lamprecht <t.lamprecht@proxmox.com> wrote:
> On 22.07.20 13:59, Stoiko Ivanov wrote:
> > On Wed, 22 Jul 2020 13:51:19 +0200
> > Thomas Lamprecht <t.lamprecht@proxmox.com> wrote:
> >
> >> On 22.07.20 13:05, Stoiko Ivanov wrote:
> >>> commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially
> >>> fixes the apparmor deny for mounting boot_id (used for example for identifying
> >>> different boots with `journalctl`) inside the container.
> >>>
> >>> Tested by editing the profile and replacing it disregarding the cache:
> >>> `apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start`
> >>>
> >>
> >> was this proposed to upstream as pull request? Did not found it on the
> >> LXC GitHub page.
> >
> > sorry my phrasing in the cover-letter was misleading: I want to make a
> > pull request upstream for this patch, after somebody else sanity-checks it
> > -> if it looks ok to you - I'll open the PR.
> >
>
> Haha, and I wanted the reverse: get upstream to review it with their
> in-depth knowledge so that I can rely on that check ;-P
aye - makes sense - https://github.com/lxc/lxc/pull/3495 :)
>
> >
> >>
> >>> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> >>> ---
> >>> ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++++++++++++++++++
> >>> debian/patches/series | 1 +
> >>> 2 files changed, 27 insertions(+)
> >>> create mode 100644 debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> >>>
> >>> diff --git a/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> >>> new file mode 100644
> >>> index 0000000..fefc586
> >>> --- /dev/null
> >>> +++ b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> >>> @@ -0,0 +1,26 @@
> >>> +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
> >>> +From: Stoiko Ivanov <s.ivanov@proxmox.com>
> >>> +Date: Wed, 22 Jul 2020 12:17:24 +0200
> >>> +Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id
> >>> +
> >>> +The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
> >>> +necessary mount calls for /proc/sys/kernel/random/boot_id
> >>> +(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.
> >>> +
> >>> +Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> >>> +---
> >>> + config/apparmor/abstractions/start-container.in | 1 +
> >>> + 1 file changed, 1 insertion(+)
> >>> +
> >>> +diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in
> >>> +index 9998f1121..9f64c2727 100644
> >>> +--- a/config/apparmor/abstractions/start-container.in
> >>> ++++ b/config/apparmor/abstractions/start-container.in
> >>> +@@ -22,6 +22,7 @@
> >>> + mount -> /var/lib/lxc/{**,},
> >>> +
> >>> + mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
> >>> ++ mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
> >>> +
> >>> + # required for some pre-mount hooks
> >>> + mount fstype=overlayfs,
> >>> diff --git a/debian/patches/series b/debian/patches/series
> >>> index ee20ef5..f588081 100644
> >>> --- a/debian/patches/series
> >>> +++ b/debian/patches/series
> >>> @@ -1,3 +1,4 @@
> >>> pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
> >>> pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
> >>> pve/0003-PVE-Config-attach-always-use-getent.patch
> >>> +pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> >>>
> >>
> >
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience
2020-07-22 11:05 [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Stoiko Ivanov
2020-07-22 11:05 ` [pve-devel] [PATCH lxc 1/2] update lxc to include fixes for cgroupv2 setups Stoiko Ivanov
2020-07-22 11:05 ` [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id Stoiko Ivanov
@ 2020-09-09 19:06 ` Thomas Lamprecht
2 siblings, 0 replies; 8+ messages in thread
From: Thomas Lamprecht @ 2020-09-09 19:06 UTC (permalink / raw)
To: Proxmox VE development discussion, Stoiko Ivanov
On 22.07.20 13:05, Stoiko Ivanov wrote:
> This patchset addresses 2 minor inconveniences I ran into, while running my
> host with 'systemd.unified_cgroup_hierarchy=1':
>
> * apparmor mount denies for '/proc/sys/kernel/random/boot_id' (this happens
> irrespective of the cgroup-layout
> * having to add
> `lxc.init.cmd: /lib/systemd/systemd systemd.unified_cgroup_hierarchy=1`
> to all my container configs (for debian and arch containers at least
> alpine runs without issues) - see [0] for a discussion of the topic
>
> While investigating this I noticed that the fixes for both issues were already
> on upstream/master (with one small other fix in between) - so instead of
> cherry-picking both patches I fast-forwarded to the last needed commit.
> Glad to resend with the patches cherry-picked and added to our patchqueue.
>
> I would probably submit the apparmor fix upstream (after a quick check by
> another set of eyes :)
>
> [0] https://github.com/lxc/lxc/issues/3183
>
> Stoiko Ivanov (2):
> update lxc to include fixes for cgroupv2 setups
> apparmor: add rule for allowing remount of boot_id
>
> ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++++++++++++++++++
> debian/patches/series | 1 +
> lxc | 2 +-
> 3 files changed, 28 insertions(+), 1 deletion(-)
> create mode 100644 debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
>
2/2 got merged into upstream and is available with 4.0.4, could you see
if we can seamlessly update from currently packaged 4.0.3 to 4.0.4?
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-09-09 19:07 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-22 11:05 [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Stoiko Ivanov
2020-07-22 11:05 ` [pve-devel] [PATCH lxc 1/2] update lxc to include fixes for cgroupv2 setups Stoiko Ivanov
2020-07-22 11:05 ` [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id Stoiko Ivanov
2020-07-22 11:51 ` Thomas Lamprecht
2020-07-22 11:59 ` Stoiko Ivanov
2020-07-22 12:09 ` Thomas Lamprecht
2020-07-22 12:15 ` Stoiko Ivanov
2020-09-09 19:06 ` [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal