Skip to content
Snippets Groups Projects
Commit eb3c133f authored by Emanuele Aina's avatar Emanuele Aina
Browse files

Drop the LXC OSTree containers 


In the past we started a proof-of-concept implementation of self-updating
OSTree-based LXC containers, but in the end the project which prompted this
development ended up updating containers from the host.

Since we have no planned use for them, they are not part of any formal release,
no test is performed on them and since they fell quite behind after the rebase
to Buster with several parts still commented out, let's drop them altogether.

Signed-off-by: Emanuele Aina's avatarEmanuele Aina <emanuele.aina@collabora.com>
parent c51b48d7
No related branches found
No related tags found
1 merge request!132Drop the LXC OSTree containers
Hide whitespace changes
Inline Side-by-side
Jenkinsfile
+ 3
43
View file @ eb3c133f
...@@ -43,7 +43,6 @@ def architectures = [ ...@@ -43,7 +43,6 @@ def architectures = [
image: true, image: true,
sysroot: false, sysroot: false,
ostree: true, ostree: true,
lxc: true,
], ],
target: [ target: [
args: "-t demopack:${demopack}", args: "-t demopack:${demopack}",
...@@ -356,29 +355,6 @@ def buildOStreeImage(architecture, type, board, debosarguments = "") { ...@@ -356,29 +355,6 @@ def buildOStreeImage(architecture, type, board, debosarguments = "") {
} }
} }
def buildContainer(architecture, type, board, debosarguments = "") {
def repo = "repo-${architecture}-${board}-${type}"
buildOStree(architecture, type, board, debosarguments, repo)
stage("${architecture} ${type} ${board} OStree pack") {
sh(script: """
cd ${PIPELINE_VERSION}/${architecture}/${type}
debos ${debosarguments} \
--show-boot \
-t architecture:${architecture} \
-t type:$type \
-t suite:$release \
-t repourl:${ostree_pull_url} \
-t osname:${osname} \
-t branch:${osname}/$release/${architecture}-${board}/${type} \
-t ospack:${osname}_ostree_${release}-${type}-${architecture}-${board}_${PIPELINE_VERSION} \
-t message:${release}-${type}-${architecture}-${type}-${board}_${PIPELINE_VERSION} \
-t ostree:${repo} \
-t collection_id:${collection_id} \
${WORKSPACE}/${osname}-ostree-pack.yaml""")
}
}
def buildSysroot(architecture, type, debosarguments = "") { def buildSysroot(architecture, type, debosarguments = "") {
sysrootname = "sysroot-${osname}-${release}-${architecture}-${env.PIPELINE_VERSION}" sysrootname = "sysroot-${osname}-${release}-${architecture}-${env.PIPELINE_VERSION}"
stage("${architecture} sysroot tarball") { stage("${architecture} sysroot tarball") {
...@@ -464,7 +440,7 @@ def buildInstallers(installerTargets) { ...@@ -464,7 +440,7 @@ def buildInstallers(installerTargets) {
* *
* @boards -- array with board names * @boards -- array with board names
*/ */
def buildImages(architecture, type, boards, debosarguments = "", image = true, sysroot = false, ostree = false, lxc = false, production = false) { def buildImages(architecture, type, boards, debosarguments = "", image = true, sysroot = false, ostree = false, production = false) {
return { return {
node("docker-slave") { node("docker-slave") {
checkout scm checkout scm
...@@ -482,7 +458,6 @@ def buildImages(architecture, type, boards, debosarguments = "", image = true, s ...@@ -482,7 +458,6 @@ def buildImages(architecture, type, boards, debosarguments = "", image = true, s
// Valid values atm: // Valid values atm:
// - image-apt-${board} -- for apt-based images // - image-apt-${board} -- for apt-based images
// - image-ostree-${board} -- for ostree-based images // - image-ostree-${board} -- for ostree-based images
// - lxc-ostree -- for LXC tarball
// - sysroot -- for sysroot tarball // - sysroot -- for sysroot tarball
def buildStatus = [:] def buildStatus = [:]
...@@ -516,17 +491,6 @@ def buildImages(architecture, type, boards, debosarguments = "", image = true, s ...@@ -516,17 +491,6 @@ def buildImages(architecture, type, boards, debosarguments = "", image = true, s
buildStatus["image-ostree-${board}"] = false buildStatus["image-ostree-${board}"] = false
} }
} }
if (lxc) {
/* Create ostree and tarball for container (board name = lxc) */
try {
buildContainer(architecture, type, "lxc", debosarguments)
buildStatus["lxc-ostree"] = true
} catch (e) {
// If image build failed -- do not fail other types but do not need to start tests for it
buildStatus["lxc-ostree"] = false
}
}
} }
if (sysroot) { if (sysroot) {
...@@ -558,10 +522,6 @@ def buildImages(architecture, type, boards, debosarguments = "", image = true, s ...@@ -558,10 +522,6 @@ def buildImages(architecture, type, boards, debosarguments = "", image = true, s
} }
} }
if(buildStatus["lxc-ostree"]) {
pushOstreeRepo(architecture, type, "lxc")
}
// Upload all other artifacts like ospacks and images if any // Upload all other artifacts like ospacks and images if any
uploadDirectory (env.PIPELINE_VERSION, "daily/${release}") uploadDirectory (env.PIPELINE_VERSION, "daily/${release}")
...@@ -610,12 +570,12 @@ buildCandidates.each { name, arch -> ...@@ -610,12 +570,12 @@ buildCandidates.each { name, arch ->
if (!params.requires) { if (!params.requires) {
/* first, build all jobs which don’t have any dependencies, in parallel */ /* first, build all jobs which don’t have any dependencies, in parallel */
first_pass << [("$name $type"): first_pass << [("$name $type"):
buildImages(name, type, merged.boards, merged.args, merged.image, merged.sysroot, merged.ostree, merged.lxc, production) buildImages(name, type, merged.boards, merged.args, merged.image, merged.sysroot, merged.ostree, production)
] ]
} else { } else {
/* second, build any jobs which depend on jobs from the first pass, also in parallel */ /* second, build any jobs which depend on jobs from the first pass, also in parallel */
second_pass << [("$name $type"): second_pass << [("$name $type"):
buildImages(name, type, merged.boards, merged.args, merged.image, merged.sysroot, merged.ostree, merged.lxc, production) buildImages(name, type, merged.boards, merged.args, merged.image, merged.sysroot, merged.ostree, production)
] ]
} }
} }
......
apertis-ospack-devroot.yaml
+ 0
21
View file @ eb3c133f
...@@ -5,7 +5,6 @@ ...@@ -5,7 +5,6 @@
{{- $timestamp := or .timestamp "" -}} {{- $timestamp := or .timestamp "" -}}
{{- $ospack := or .ospack (printf "ospack_%s-%s-%s" $suite $architecture $type) -}} {{- $ospack := or .ospack (printf "ospack_%s-%s-%s" $suite $architecture $type) -}}
{{- $ivitools := or .ivitools "enabled" -}} {{- $ivitools := or .ivitools "enabled" -}}
{{- $lxc := or .lxc "enabled" -}}
architecture: {{ $architecture }} architecture: {{ $architecture }}
...@@ -198,26 +197,6 @@ actions: ...@@ -198,26 +197,6 @@ actions:
#- tinwell #- tinwell
{{ end }} {{ end }}
{{ if eq $lxc "enabled" }}
# - action: apt
# description: "LXC packages"
# packages:
# - libpam-cgfs
# - lxc
# - lxc-templates
# - uidmap
# - action: overlay
# description: "Install the Apertis template to LXC"
# source: lxc/lxc-apertis-ostree
# destination: /usr/share/lxc/templates/lxc-apertis-ostree
# - action: run
# description: "Set executable bit on Apertis LXC template"
# chroot: true
# command: chmod a+x /usr/share/lxc/templates/lxc-apertis-ostree
{{ end }}
{{ if eq $ivitools "enabled" }} {{ if eq $ivitools "enabled" }}
# - action: apt # - action: apt
# description: "Development HMI packages" # description: "Development HMI packages"
......
apertis-ospack-minimal.yaml
+ 0
1
View file @ eb3c133f
...@@ -4,7 +4,6 @@ ...@@ -4,7 +4,6 @@
{{- $suite := or .suite "v2019dev0" -}} {{- $suite := or .suite "v2019dev0" -}}
{{- $timestamp := or .timestamp "" -}} {{- $timestamp := or .timestamp "" -}}
{{- $ospack := or .ospack (printf "ospack_%s-%s-%s" $suite $architecture $type) -}} {{- $ospack := or .ospack (printf "ospack_%s-%s-%s" $suite $architecture $type) -}}
{{- $lxc := or .lxc "enabled" -}}
{{- $pack := or .pack "true" -}} {{- $pack := or .pack "true" -}}
architecture: {{ $architecture }} architecture: {{ $architecture }}
......
apertis-ospack-sdk.yaml
+ 0
21
View file @ eb3c133f
...@@ -4,7 +4,6 @@ ...@@ -4,7 +4,6 @@
{{- $suite := or .suite "v2019dev0" -}} {{- $suite := or .suite "v2019dev0" -}}
{{- $timestamp := or .timestamp "" -}} {{- $timestamp := or .timestamp "" -}}
{{- $ospack := or .ospack (printf "ospack_%s-%s-%s" $suite $architecture $type) -}} {{- $ospack := or .ospack (printf "ospack_%s-%s-%s" $suite $architecture $type) -}}
{{- $lxc := or .lxc "enabled" -}}
{{- $pack := or .pack "true" }} {{- $pack := or .pack "true" }}
architecture: {{ $architecture }} architecture: {{ $architecture }}
...@@ -192,26 +191,6 @@ actions: ...@@ -192,26 +191,6 @@ actions:
- syncevolution - syncevolution
#- tinwell #- tinwell
{{ if eq $lxc "enabled" }}
- action: apt
description: "LXC packages"
packages:
- libpam-cgfs
#- lxc
#- lxc-templates
- uidmap
# - action: overlay
# description: "Install the Apertis template to LXC"
# source: lxc/lxc-apertis-ostree
# destination: /usr/share/lxc/templates/lxc-apertis-ostree
# - action: run
# description: "Set executable bit on Apertis LXC template"
# chroot: true
# command: chmod a+x /usr/share/lxc/templates/lxc-apertis-ostree
{{ end }}
# - action: apt # - action: apt
# description: "Development HMI packages" # description: "Development HMI packages"
# packages: # packages:
......
apertis-ospack-target.yaml
+ 0
1
View file @ eb3c133f
...@@ -5,7 +5,6 @@ ...@@ -5,7 +5,6 @@
{{- $timestamp := or .timestamp "" -}} {{- $timestamp := or .timestamp "" -}}
{{- $ospack := or .ospack (printf "ospack_%s-%s-%s" $suite $architecture $type) -}} {{- $ospack := or .ospack (printf "ospack_%s-%s-%s" $suite $architecture $type) -}}
{{- $ivitools := or .ivitools "enabled" -}} {{- $ivitools := or .ivitools "enabled" -}}
{{- $lxc := or .lxc "disabled" -}}
{{- $pack := or .pack "true" -}} {{- $pack := or .pack "true" -}}
architecture: {{ $architecture }} architecture: {{ $architecture }}
......
apertis-ostree-pack.yaml deleted 100644 → 0
+ 0
25
View file @ c51b48d7
{{- $architecture := or .architecture "amd64" }}
{{- $type := or .type "minimal" -}}
{{- $suite := or .suite "v2019dev0" -}}
{{- $ospack := or .ospack (printf "ostree-pack_%s-%s-%s" $suite $architecture $type) -}}
{{- $board := or .board "lxc" -}}
{{- $repourl := or .repourl "https://images.apertis.org/ostree/repo" -}}
{{- $osname := or .osname "apertis" -}}
{{- $branch := or .branch (printf "%s/%s/%s-%s/%s" $osname $suite $architecture $board $type) -}}
{{- $ostree := or .ostree "repo" -}}
architecture: {{ $architecture }}
actions:
- action: ostree-deploy
repository: {{ $ostree }}
remote_repository: {{ $repourl }}
branch: {{ $branch }}
os: {{ $osname }}
{{ if .collection_id }}
collection-id: {{ .collection_id }}
{{ end }}
- action: pack
compression: gz
file: {{ $ospack }}.tar.gz
lxc/lxc-apertis-ostree deleted 100755 → 0
+ 0
465
View file @ c51b48d7
#!/bin/sh
# Template for Apertis OStree-based container images.
#
# Copyright © 2017 Collabora Ltd.
set -u
# Apertis options
LONGOPTS="ospack:,force"
SHORTOPTS="o:f"
#LXC internal options
LONGOPTS="$LONGOPTS,name:,path:,rootfs:,mapped-uid:,mapped-gid:"
OPTS=$(getopt -o $SHORTOPTS -l $LONGOPTS -- "$@")
eval set -- "$OPTS"
# mandatory option
OSPACK=
FORCED=0
LXC_NAME=
LXC_PATH=
LXC_ROOTFS=
LXC_MAPPED_UID=
LXC_MAPPED_GID=
# Check if all needed binaries are available
BINARIES="wget tar"
rc=0
for f in $BINARIES; do
which $f 1>/dev/null 2>&1 && continue || :
echo "$f is required"
rc=1
done
[ $rc -eq 0 ] || exit 1
# Check options
while true; do
case "$1" in
-o|--ospack) OSPACK="$2"; shift 2;;
-f|--force) FORCED=1; shift 1;;
--name) LXC_NAME="$2"; shift 2;;
--path) LXC_PATH="$2"; shift 2;;
--rootfs) LXC_ROOTFS="$2"; shift 2;;
--mapped-uid) LXC_MAPPED_UID="$2"; shift 2;;
--mapped-gid) LXC_MAPPED_GID="$2"; shift 2;;
*) break;;
esac
done
if [ -z "$OSPACK" ]; then
echo "Please provide URL to download initial rootfs with '--ospack' argument."
exit 1
fi
TARBALL="${OSPACK##*/}"
if [ ! -f "$TARBALL" -o $FORCED -eq 1 ]; then
[ -f "$TARBALL" ] && rm -f "$TARBALL"
wget "$OSPACK"
fi
tar -x --exclude='dev/*' -f "$TARBALL" -C "$LXC_ROOTFS" >/dev/null 2>&1
lxc_conf_utsname="uts.name"
lxc_conf_pts="pty.max"
lxc_conf_net="net.0"
lxc_conf_net_ipv4="net.0.ipv4.address"
lxc_conf_apparmor="apparmor.profile"
# For different versions
LXC_VER=$(lxc-start --version | sed s/"\."//g)
if [ $LXC_VER -lt 210 ]; then
# Old syntax
lxc_conf_utsname="utsname"
lxc_conf_pts="pts"
lxc_conf_net="network"
lxc_conf_net_ipv4="network.ipv4"
lxc_conf_apparmor="aa_profile"
fi
#################### Config generation #############################
# Apertis specific configuration
# NB: Rootfs is added by lxc-create
cat <<E_O_F >> "$LXC_PATH"/config
lxc.$lxc_conf_utsname = $LXC_NAME
# Include default LXC configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.$lxc_conf_pts = 1024
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.mount.entry = tmpfs /dev/shm tmpfs defaults 0 0
lxc.mount.entry = proc dev/.lxc/proc proc create=dir,optional 0 0
lxc.mount.entry = sys dev/.lxc/sys sysfs create=dir,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
E_O_F
# Setup networking in case if default config does not provide it
if ! grep -q "^lxc.$lxc_conf_net.type" "$LXC_PATH"/config; then
cat <<E_O_F >> "$LXC_PATH"/config
lxc.$lxc_conf_net.type = veth
lxc.$lxc_conf_net.name = eth0
lxc.$lxc_conf_net.link = lxcbr0
lxc.$lxc_conf_net.flags = up
lxc.$lxc_conf_net_ipv4 = 10.0.3.138/24
E_O_F
fi
#################### Scripts #######################################
# Add hook script for rootfs re-mount
cat <<E_O_F >> "$LXC_PATH"/config
lxc.hook.pre-mount = $LXC_PATH/pre-mount.sh
lxc.hook.mount = $LXC_PATH/mount.sh
lxc.hook.stop = $LXC_PATH/stop.sh
E_O_F
cat > "$LXC_PATH"/pre-mount.sh <<"E_O_F"
#!/bin/sh
set -u
# Remove prefix from path to rootfs
LXC_ROOTFS_PATH=${LXC_ROOTFS_PATH#*:}
# TODO: remove this hack by cleaning the bit before 'lxc-destroy' call
# Remove immutable bit from deploy to allow correctly destroy the container with lxc-destroy
[ -d $LXC_ROOTFS_PATH/ostree/deploy/apertis/deploy ] && chattr -i $LXC_ROOTFS_PATH/ostree/deploy/apertis/deploy/* || :
# Read ostree target on current boot
BOOTCFG=$LXC_ROOTFS_PATH/boot/loader/entries/ostree-apertis-0.conf
OPTIONS=$(grep ^options $BOOTCFG | head -n1 | cut -d ' ' -f 2)
ostree=${OPTIONS#ostree=}
# if no ostree target -- boot to the default non-OStree OS
[ -z "$ostree" ] && exit 0
sysroot=$LXC_ROOTFS_PATH
# Adaptation of 'switchroot.sh' from ostree upstream:
# https://github.com/ostreedev/ostree/blob/master/src/switchroot/switchroot.sh
## the ostree boot parameter is avaialbe during the init
# ostree=/ostree/boot.1/.../.../0
## bind mount the ostree deployment to prepare it for move
mount --bind $sysroot$ostree $sysroot$ostree
## bind mount read-only /usr
mount --bind $sysroot$ostree/usr $sysroot$ostree/usr
mount --bind -o remount,ro $sysroot$ostree/usr $sysroot$ostree/usr
## bind mount the physical root
mount --bind $sysroot $sysroot$ostree/sysroot
## bind mount the var directory which is preserved between deployments
mount --bind $sysroot/ostree/deploy/apertis/var $sysroot$ostree/var
## make sure target directories are present within var
cd $sysroot$ostree/var
mkdir -p roothome mnt opt home
cd -
# make happy 'ostree' tool
mount --bind $sysroot/boot $sysroot$ostree/boot
## move the deployment to the sysroot
mount --move $sysroot$ostree $sysroot
## after these the init system should start the switch root process
# Do not need to switch root process for LXC hook!
## Hack a kernel command line for ostree in container
echo -e "ostree=$ostree" > $LXC_ROOTFS_PATH/cmdline
# Create namespace for container
mkdir -p /sys/kernel/security/apparmor/policy/namespaces/lxc-$LXC_NAME
E_O_F
cat > "$LXC_PATH"/mount.sh <<"E_O_F"
#!/bin/sh
set -eu
# Remove prefix from path to rootfs
LXC_ROOTFS_PATH=${LXC_ROOTFS_PATH#*:}
# Substitute command line in container allowing to detect OS properly
mount --bind $LXC_ROOTFS_PATH/cmdline $LXC_ROOTFS_MOUNT/proc/cmdline
E_O_F
cat > "$LXC_PATH"/stop.sh <<"E_O_F"
#!/bin/sh
set -u
# Remove prefix from path to rootfs
LXC_ROOTFS_PATH=${LXC_ROOTFS_PATH#*:}
# TODO: remove this hack by cleaning the bit before 'lxc-destroy' call
# Remove immutable bit from deploy to allow correctly destroy the container with lxc-destroy
[ -d $LXC_ROOTFS_PATH/ostree/deploy/apertis/deploy ] && chattr -i $LXC_ROOTFS_PATH/ostree/deploy/apertis/deploy/* || :
E_O_F
chmod 0755 "$LXC_PATH"/*.sh
#################### AppArmor ######################################
# Add custom apparmor configuration
# namespace is based on containr name with prefix `lxc-`
NAMESPACE="lxc-$LXC_NAME"
# Add configuration for Apparmor
cat <<E_O_F >> "$LXC_PATH"/config
lxc.$lxc_conf_apparmor = lxc-container-apertis//&:$NAMESPACE://unconfined
E_O_F
# Do not try to re-write apparmor profile
apparmor_profile=/etc/apparmor.d/lxc-container-apertis
[ -f $apparmor_profile ] && exit 0
# Add apparmor profile
# This has been taken from lxc-default-with-nesting
# to which were added rules from lxd
cat > "$apparmor_profile" <<EOF
#include <tunables/global>
profile lxc-container-apertis flags=(attach_disconnected,mediate_deleted) {
# AA_PROFILE_BASE (container-base without deny /s/k/security)
network,
capability,
file,
umount,
# dbus, signal, ptrace and unix are only supported by recent apparmor
# versions. Comment them if the apparmor parser doesn't recognize them.
# This also needs additional rules to reach outside of the container via
# DBus, so just let all of DBus within the container.
dbus,
# Allow us to receive signals from anywhere. Note: if per-container profiles
# are supported, for container isolation this should be changed to something
# like:
# signal (receive) peer=unconfined,
# signal (receive) peer=/usr/bin/lxc-start,
signal (receive),
# Allow us to send signals to ourselves
signal peer=@{profile_name},
# Allow other processes to read our /proc entries, futexes, perf tracing and
# kcmp for now (they will need 'read' in the first place). Administrators can
# override with:
# deny ptrace (readby) ...
ptrace (readby),
# Allow other processes to trace us by default (they will need 'trace' in
# the first place). Administrators can override with:
# deny ptrace (tracedby) ...
ptrace (tracedby),
# Allow us to ptrace ourselves
ptrace peer=@{profile_name},
# Allow receive via unix sockets from anywhere. Note: if per-container
# profiles are supported, for container isolation this should be changed to
# something like:
# unix (receive) peer=(label=unconfined),
unix (receive),
# Allow all unix in the container
unix peer=(label=@{profile_name}),
# ignore DENIED message on / remount
deny mount options=(ro, remount) -> /,
deny mount options=(ro, remount, silent) -> /,
# allow tmpfs mounts everywhere
mount fstype=tmpfs,
# allow hugetlbfs mounts everywhere
mount fstype=hugetlbfs,
# allow mqueue mounts everywhere
mount fstype=mqueue,
# allow fuse mounts everywhere
mount fstype=fuse,
mount fstype=fuse.*,
# deny access under /proc/bus to avoid e.g. messing with pci devices directly
deny @{PROC}/bus/** wklx,
# deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
deny @{PROC}/sys/fs/** wklx,
# allow efivars to be mounted, writing to it will be blocked though
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
# block some other dangerous paths
deny @{PROC}/kcore rwklx,
deny @{PROC}/kmem rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/sysrq-trigger rwklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
mount fstype=fusectl -> /sys/fs/fuse/connections/,
mount fstype=securityfs -> /sys/kernel/security/,
mount fstype=debugfs -> /sys/kernel/debug/,
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
deny /sys/firmware/efi/efivars/** rwklx,
audit /sys/kernel/security/apparmor/** rwklix,
# Apertis end
mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
# deny reads from debugfs
# deny /sys/kernel/debug/{,**} rwklx,
# allow paths to be made slave, shared, private or unbindable
# FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
# mount options=(rw,make-slave) -> **,
# mount options=(rw,make-rslave) -> **,
# mount options=(rw,make-shared) -> **,
# mount options=(rw,make-rshared) -> **,
# mount options=(rw,make-private) -> **,
# mount options=(rw,make-rprivate) -> **,
# mount options=(rw,make-unbindable) -> **,
# mount options=(rw,make-runbindable) -> **,
# allow bind-mounts of anything except /proc, /sys and /dev
mount options=(rw,bind) /[^spd]*{,/**},
mount options=(rw,bind) /d[^e]*{,/**},
mount options=(rw,bind) /de[^v]*{,/**},
mount options=(rw,bind) /dev/.[^l]*{,/**},
mount options=(rw,bind) /dev/.l[^x]*{,/**},
mount options=(rw,bind) /dev/.lx[^c]*{,/**},
mount options=(rw,bind) /dev/.lxc?*{,/**},
mount options=(rw,bind) /dev/[^.]*{,/**},
mount options=(rw,bind) /dev?*{,/**},
mount options=(rw,bind) /p[^r]*{,/**},
mount options=(rw,bind) /pr[^o]*{,/**},
mount options=(rw,bind) /pro[^c]*{,/**},
mount options=(rw,bind) /proc?*{,/**},
mount options=(rw,bind) /s[^y]*{,/**},
mount options=(rw,bind) /sy[^s]*{,/**},
mount options=(rw,bind) /sys?*{,/**},
# allow moving mounts except for /proc, /sys and /dev
mount options=(rw,move) /[^spd]*{,/**},
mount options=(rw,move) /d[^e]*{,/**},
mount options=(rw,move) /de[^v]*{,/**},
mount options=(rw,move) /dev/.[^l]*{,/**},
mount options=(rw,move) /dev/.l[^x]*{,/**},
mount options=(rw,move) /dev/.lx[^c]*{,/**},
mount options=(rw,move) /dev/.lxc?*{,/**},
mount options=(rw,move) /dev/[^.]*{,/**},
mount options=(rw,move) /dev?*{,/**},
mount options=(rw,move) /p[^r]*{,/**},
mount options=(rw,move) /pr[^o]*{,/**},
mount options=(rw,move) /pro[^c]*{,/**},
mount options=(rw,move) /proc?*{,/**},
mount options=(rw,move) /s[^y]*{,/**},
mount options=(rw,move) /sy[^s]*{,/**},
mount options=(rw,move) /sys?*{,/**},
# generated by: lxc-generate-aa-rules.py container-rules.base
deny /proc/sys/[^kn]*{,/**} wklx,
deny /proc/sys/k[^e]*{,/**} wklx,
deny /proc/sys/ke[^r]*{,/**} wklx,
deny /proc/sys/ker[^n]*{,/**} wklx,
deny /proc/sys/kern[^e]*{,/**} wklx,
deny /proc/sys/kerne[^l]*{,/**} wklx,
deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
deny /proc/sys/kernel/d[^o]*{,/**} wklx,
deny /proc/sys/kernel/do[^m]*{,/**} wklx,
deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
deny /proc/sys/kernel/domainname?*{,/**} wklx,
deny /proc/sys/kernel/h[^o]*{,/**} wklx,
deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
deny /proc/sys/kernel/host[^n]*{,/**} wklx,
deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
deny /proc/sys/kernel/hostname?*{,/**} wklx,
deny /proc/sys/kernel/m[^s]*{,/**} wklx,
deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
deny /proc/sys/kernel/msg*/** wklx,
deny /proc/sys/kernel/s[^he]*{,/**} wklx,
deny /proc/sys/kernel/se[^m]*{,/**} wklx,
deny /proc/sys/kernel/sem*/** wklx,
deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
deny /proc/sys/kernel/shm*/** wklx,
deny /proc/sys/kernel?*{,/**} wklx,
deny /proc/sys/n[^e]*{,/**} wklx,
deny /proc/sys/ne[^t]*{,/**} wklx,
deny /proc/sys/net?*{,/**} wklx,
# Configuration: apparmor profile loading (in namespace)
# Extracted from lxd/apparmor.go getAAProfileContent
# Block everything in /sys/kernel/security that is not apparmor
audit /sys/kernel/security/apparmor/** rwklix,
audit deny /sys/k[^e]*{,/**} wklx,
audit deny /sys/ke[^r]*{,/**} wklx,
audit deny /sys/ker[^n]*{,/**} wklx,
audit deny /sys/kern[^e]*{,/**} wklx,
audit deny /sys/kerne[^l]*{,/**} wklx,
audit deny /sys/kernel/[^sd]*{,/**} wklx,
audit deny /sys/kernel/s[^e]*{,/**} wklx,
audit deny /sys/kernel/se[^c]*{,/**} wklx,
audit deny /sys/kernel/sec[^u]*{,/**} wklx,
audit deny /sys/kernel/secu[^r]*{,/**} wklx,
audit deny /sys/kernel/secur[^i]*{,/**} wklx,
audit deny /sys/kernel/securi[^t]*{,/**} wklx,
audit deny /sys/kernel/securit[^y]*{,/**} wklx,
audit deny /sys/kernel/security/[^a]*{,/**} wklx,
audit deny /sys/kernel/security/a[^p]*{,/**} wklx,
audit deny /sys/kernel/security/ap[^p]*{,/**} wklx,
audit deny /sys/kernel/security/app[^a]*{,/**} wklx,
audit deny /sys/kernel/security/appa[^r]*{,/**} wklx,
audit deny /sys/kernel/security/appar[^m]*{,/**} wklx,
audit deny /sys/kernel/security/apparm[^o]*{,/**} wklx,
audit deny /sys/kernel/security/apparmo[^r]*{,/**} wklx,
audit deny /sys/kernel/security/apparmor?*{,/**} wklx,
audit deny /sys/kernel/security?*{,/**} wklx,
audit deny /sys/kernel?*{,/**} wklx,
change_profile -> :lxc-apertis-nesting://*,
# AA_PROFILE_NESTING (similar to lxc-default-with-nesting)
deny /dev/.lxc/proc/** rw,
deny /dev/.lxc/sys/** rw,
mount fstype=proc -> /var/cache/lxc/**,
mount fstype=sysfs -> /var/cache/lxc/**,
mount options=(rw,bind),
mount fstype=cgroup -> /sys/fs/cgroup/**,
# AA_PROFILE_UNPRIVILEGED
mount options=(rw,make-slave) -> **,
mount options=(rw,make-rslave) -> **,
mount options=(rw,make-shared) -> **,
mount options=(rw,make-rshared) -> **,
mount options=(rw,make-private) -> **,
mount options=(rw,make-rprivate) -> **,
mount options=(rw,make-unbindable) -> **,
mount options=(rw,make-runbindable) -> **,
mount options=(rw,bind),
mount options=(rw,rbind),
}
EOF
# Load and regenerate apparmor cache
apparmor_parser --skip-read-cache --write-cache -r $apparmor_profile
# Regenerate AppArmor cache (T4539)
/lib/apparmor/recache-profiles
exit 0
lxc/readme.md deleted 100644 → 0
+ 0
22
View file @ c51b48d7
LXC template generates configuration file for container, pre-mount hook and AppArmour profile.
Template is compatible with LXC upstream, so tools from LXC should be used to create/start/stop/destroy the container.
# Create container:
sudo lxc-create -t $PWD/lxc-apertis-ostree --name apertis-test -- --ospack "https://images.apertis.org/lxc/17.12/20171230.0/lxc-ostree-17.12-amd64-minimal_20171230.0"
options:
- -t -- use template named `lxc-apertis-ostree` from current directory
- -P -- Use an alternate container path. The default is /var/lib/lxc
- --name -- name of container
- -- separator. Options for template must be added after this separator
- --ospack -- URL to download the initial image
# Start the container in foreground mode:
sudo lxc-start -F --name apertis-test
Pull the ostree, deploy and reboot into deployed OS tree:
sudo ostree admin upgrade -r
# Destroy the container and associated configuration:
sudo lxc-destroy --name apertis-test
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
Apertis Website Terms of Use Privacy Policy