Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
disable all lxc apparmor security #3096
Comments
Then restart the container and it won't have an apparmor profile anymore. Though if all you care about is allowing nfs inside a privileged container, you can also just tweak the apparmor policy with:
|
stgraber
closed this
Mar 22, 2017
gstanden
commented
Nov 16, 2017
|
Hey just a note that in some work totally unrelated to this thread, I discovered that "lxc.aa_profile=unconfined" in an LXC config in an Ubuntu 17.04 Desktop or 17.10 Desktop environment will bork external monitors everytime you stop or start the container that has "lxc.aa_profile=unconfined" set. Just an FYI. Environment is LXC containers running on OpenvSwitch with a containerized DNS/DHCP (not using the default dnsmasq nor the lxcbr0). |
|
That's not particularly surprising, especially if the container is privileged. There aren't many init scripts that are particularly container aware during start and shutdown, the way things usually work is that those scripts deal nicely with failure and so attempt to reconfigure hardware but just aren't allowed to do so. Without apparmor in place, init scripts in privileged containers are actually allowed to directly interact with a number of subsystems (/sys is the likely bet in this case) and so may reset a number of devices. |
teknopaul commentedMar 22, 2017
Required information
driver: lxc
driverversion: 2.0.7
kernel: Linux
kernelarchitecture: x86_64
kernelversion: 4.8.0-22-generic
server: lxd
serverpid: 1155
serverversion: 2.4.1
storage: dir
storageversion: ""
Issue description
Any way to disable all lxc apparmor security, I'm not interested in security in containers. I just want virtualization of different distros on a VM for demo applications not any security "benefits" since they stop me doing work. Currently apparmor is preventing me from using mounting NFS across containers. A fix for that would be good too but also I'd like minimal security annoyances since there is nothing to be secured in these systems at all. LXC containers we built with root.
Steps to reproduce
mount -vvv 10.0.2.15:/var/shared /var/shared
...
mount.nfs: access denied by server while mounting 10.0.2.15:/var/shared
Mar 22 12:23:13 puppetdev kernel: [ 7638.020284] audit: type=1400 audit(1490181793.280:102): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/var/shared/" pid=11846 comm="mount.nfs" fstype="nfs" srcname="10.0.2.15:/var/shared"
attempting to uninstal apparmor is not possible it wants to uninstall systemd too.
invoke-rc.d apparmor stop
/etc/init.d/apparmor stop
aa-complain /etc/apparmor.d/*
run still getting apparmor="DENIED"