Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
The template below is mostly useful for bug reports and support questions.
If I set my container as privileged, I cannot access /sys/kernel from the container:
root@vppjordan:~# ls /sys/kernel/
Here is the list of permissions of /sys folder in the container:
root@vppjordan:~# ls -la /sys/
Here is the container's lxc.conf file:
lxc.cap.drop = sys_time sys_module sys_rawio mac_admin mac_override
If you really need to access it, you can turn apparmor off, though note that giving direct access to things like debugfs will allow to escape the container and become root on the host.
To turn off apparmor, you can do:
@acompagn unfortunately, not really... We do allow you to append to the generated apparmor profile with raw.apparmor but because apparmor lacks an "allow" keyword which would override any existing "deny" pattern, you can't unblock something which was directly blocked :(
An option, but unfortunately a rather painful one, would be to copy the generated apparmor profile (from /var/lib/lxd/security/apparmor/...) to /etc/apparmor.d/, change its name and allow the path you need by changing the patterns in there, then have apparmor load that profile ("/etc/init.d/apparmor reload") and finally set "raw.lxc" to "lxc.aa_profile=name-of-your-profile".
Basically forcing LXD to use a pre-existing profile that you control rather than generate a new one for you.