lxc-copy can start container as lxc-start does in some cases,
so we need to have the same profile for it.
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Long story behind this. Many years ago, Stéphane Graber
discovered an issue with apparmor mount rules.
Since
7f2b13275d
commit ("apparmor: Update mount states handling") it was prohibited
to change mount propagation flags, just because adding rules which
allow mount propagation user inside the container gets an ability
to mount everything [1].
Now with modern systemd versions this problem become more critical than
before. For instance, ArchLinux containers fail to start without
nesting apparmor profile enabled (because nesting profile effectively
just allow all mounts). Of course, that's a security issue.
We've also enabled sharing on the container rootfs:
https://github.com/lxc/lxc/pull/4229
Now for many workloads it's needed to change propagation flag to
private (see https://github.com/canonical/craft-parts/pull/400).
Issue:
$ lxc-start -F archlinux-test
systemd 253-1-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified)
Detected virtualization lxc.
Detected architecture x86-64.
Welcome to Arch Linux!
bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported
Failed to remount root directory as MS_SLAVE: Permission denied
(sd-gens) failed with exit status 1.
[!!!!!!] Failed to start up manager.
Exiting PID 1...
Workaround (unsafe):
$ lxc-start -s lxc.apparmor.allow_nesting=1 -s lxc.apparmor.profile=generated -F arch-test
John Johansen (Apparmor maintainer) and LXD team worked on fix [2].
It was merged to stable AppArmor 3.0 and 3.1 branches already.
There is no stable AppArmor version tag for that, but I think it will
be in the AppArmor version 3.0.10.
See also:
[1] https://bugs.launchpad.net/apparmor/+bug/1597017
[2] https://gitlab.com/apparmor/apparmor/-/merge_requests/333Fixes: #4280
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Unprivledged user should be able to do fuse mounts during start-container.
Specifically this solves the problem for un-priv fuse mounting via
pre-hook.
Signed-off-by: Scott Moser <smoser@brickies.net>
The nftables masquarade rule for IPv6 was using the IPv4 syntax. This
resulted in the following error when starting the lxc-net.service with
LXC_IPV6_NAT="true" and nftables:
Feb 11 18:54:54 pc lxc-net[4936]: Error: conflicting protocols specified: ip6 vs. ip
Feb 11 18:54:54 pc lxc-net[4936]: ^^^^^^^^
Feb 11 18:54:54 pc lxc-net[4917]: Failed to setup lxc-net.
Feb 11 18:54:54 pc systemd[1]: lxc-net.service: Main process exited, code=exited, status=1/FAILURE
Feb 11 18:54:54 pc systemd[1]: lxc-net.service: Failed with result 'exit-code'.
Feb 11 18:54:54 pc systemd[1]: Failed to start LXC network bridge setup.
Signed-off-by: Quentin Lyons <36303164+n0p90@users.noreply.github.com>
On openSUSE, our packages are build in the Open Build Service which does
not have a proper systemd installation that you can query to get the
systemdunitdir.
The simplest solution is to re-add the ability to explicitly set the
systemdunitdir (as was previously possible with the autotools build
system in pre-5.0 LXC).
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Since the `lxc` binary is actually provided by lxd, the main
bash-completion file needs to be moved away to not conflict with a bash
completion file provided for the `lxc` binary by lxd.
Signed-off-by: Antonio Terceiro <terceiro@debian.org>
Failure executing dnsmasq happens if misc dir is not existed as the
following error messages.
localhost.localdomain systemd[1]: Starting LXC network bridge setup...
localhost.localdomain lxc-net[5754]: dnsmasq: cannot open or create lease file /usr/local/var/lib/misc/dnsmasq.lxcbr0.leases: No such file or directory
localhost.localdomain dnsmasq[5754]: cannot open or create lease file /usr/local/var/lib/misc/dnsmasq.lxcbr0.leases: No such file or directory
localhost.localdomain dnsmasq[5754]: FAILED to start up
localhost.localdomain lxc-net[5727]: Failed to setup lxc-net.
localhost.localdomain lxc-net[5727]: Failed to setup lxc-net.
localhost.localdomain systemd[1]: lxc-net.service: Main process exited, code=exited, status=1/FAILURE
localhost.localdomain systemd[1]: lxc-net.service: Failed with result 'exit-code'.
localhost.localdomain systemd[1]: Failed to start LXC network bridge setup.
Modify 'lxc-net' script to call 'mkdir -p' command if the directory is not
existed before executing dnsmasq daemon.
Signed-off-by: Leesoo Ahn <lsahn@ooseel.net>
When lxc is installed inside an lxc container, trying to bring up
lxc-net with the default parameters will conflict with the networking
setup for lxc on the host. This breaks all networking inside the
container where lxc is installed.
Signed-off-by: Antonio Terceiro <terceiro@debian.org>
See https://github.com/koalaman/shellcheck/wiki/SC2006 for details.
Not only uses this the recommended construct, it also makes the code
more uniform as in many other places the $() construct was already used.
Signed-off-by: Diederik de Haas <didi.debian@cknow.org>
The 'which' command is deprecated on Debian Sid as it is not POSIX
compliant and it's behavior is therefor not consistent, so replace it
with 'command -v' which is POSIX compliant.
See https://stackoverflow.com/a/677212 for details.
Also replaced a use of backticks (`) as that is deprecated as well.
See https://github.com/koalaman/shellcheck/wiki/SC2006 for details.
Signed-off-by: Diederik de Haas <didi.debian@cknow.org>
If a name is a prefix of another word available for completion, adjust
to show all words with given prefix.
Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
Not really much can be done for this function, as `-m` requires an ID
mapping that has to be manually input, since it will use
`/etc/sub{g,u}id` if not specified.
Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
List SElinux contexts available. Not clear if this could be only for
root or if normal user with `sudo` is also supported.
Using `Fedora34` for basic testing.
Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
For `lxc-ls --groups` and `lxc-autostart --groups`.
Support leading comma, trailing comma, embedded double comma.
Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
Use bash functions for common array operations. Keep code logic somewhat
easy to read for bug hunting.
Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
For options `-r,--restore` and `-d,--destroy`, we need the container
name to create the list of completion values.
Therefore, it is needed to scan the current command line to check if
there is a container name available.
Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
When a container name has whitespace in it
(e.g. created by `lxc-create -t download -n "arch linux"` ),
the completion for other commands should be able to work by adding a
backslash to escape it.
Although it may be interesting to support names between quotes, this
would probably means to have to add quotes to all names. Might not be
interesting just due to an edge case.
Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
Use regex to handle short option `-n`, since short options can be
combined (e.g. `-nd`) as long as at max one requires an argument.
Also consider the case when the arg for the long option is not given
together with `--name=`.
Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>