mirror of
https://git.proxmox.com/git/mirror_lxc
synced 2025-07-14 09:18:23 +00:00
7987eddb9f
Without this, if the system uses shared subtrees by default (like systemd), you get a large stream of lxc-start: Permission denied - Failed to make /<mountpoint> rslave lxc-start: Continuing... with apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=17284 comm="lxc-start" flags="rw, slave" and eventual failure plus a lot of leftover mounts in the host. https://launchpad.net/bugs/1325468
42 lines
1.3 KiB
Plaintext
42 lines
1.3 KiB
Plaintext
network,
|
|
capability,
|
|
file,
|
|
|
|
# The following 3 entries are only supported by recent apparmor versions.
|
|
# Comment them if the apparmor parser doesn't recognize them.
|
|
dbus,
|
|
signal,
|
|
ptrace,
|
|
|
|
# currently blocked by apparmor bug
|
|
mount -> /usr/lib/*/lxc/{**,},
|
|
mount -> /usr/lib/lxc/{**,},
|
|
mount fstype=devpts -> /dev/pts/,
|
|
mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
|
|
mount options=(rw, slave) -> /,
|
|
mount fstype=debugfs,
|
|
# allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
|
|
mount -> /var/lib/lxc/{**,},
|
|
|
|
# required for some pre-mount hooks (like the new lxc-start-ephemeral)
|
|
mount fstype=overlayfs,
|
|
mount fstype=aufs,
|
|
mount fstype=ecryptfs,
|
|
|
|
# all umounts are under the original root's /mnt, but right now we
|
|
# can't allow those umounts after pivot_root. So allow all umounts
|
|
# right now. They'll be restricted for the container at least.
|
|
umount,
|
|
#umount /mnt/{**,},
|
|
|
|
# This may look a bit redundant, however it appears we need all of
|
|
# them if we want things to work properly on all combinations of kernel
|
|
# and userspace parser...
|
|
pivot_root /usr/lib/lxc/,
|
|
pivot_root /usr/lib/*/lxc/,
|
|
pivot_root /usr/lib/lxc/**,
|
|
pivot_root /usr/lib/*/lxc/**,
|
|
|
|
change_profile -> lxc-*,
|
|
change_profile -> unconfined,
|