|
841.
|
|
|
LXC ships with a few alternate policies for containers. If you wish to run containers inside containers (nesting), then you can use the lxc-container-default-with-nesting profile by adding the following line to the container configuration file <screen>
lxc.aa_profile = lxc-container-default-with-nesting
[tab] </screen> If you wish to use libvirt inside containers, then you will need to edit that policy (which is defined in <filename>/etc/apparmor.d/lxc/lxc-default-with-nesting</filename>) by uncommenting the following line: <screen>
mount fstype=cgroup -> /sys/fs/cgroup/**,
[tab] </screen> and re-load the policy.
|
|
|
[tab] represents a tab character.
Please write it exactly the same way, [tab] , in your
translation.
|
|
|
represents a line break.
Start a new line in the equivalent position in the translation.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/virtualization.xml:2354(para)
|
|
842.
|
|
|
Note that the nesting policy with privileged containers is far less safe than the default policy, as it allows containers to re-mount <filename>/sys</filename> and <filename>/proc</filename> in nonstandard locations, bypassing apparmor protections. Unprivileged containers do not have this drawback since the container root cannot write to root-owned <filename>proc</filename> and <filename>sys</filename> files.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/virtualization.xml:2371(para)
|
|
843.
|
|
|
Another profile shipped with lxc allows containers to mount block filesystem types like ext4. This can be useful in some cases like maas provisioning, but is deemed generally unsafe since the superblock handlers in the kernel have not been audited for safe handling of untrusted input.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/virtualization.xml:2379(para)
|
|
844.
|
|
|
If you need to run a container in a custom profile, you can create a new profile under <filename>/etc/apparmor.d/lxc/</filename>. Its name must start with <filename>lxc-</filename> in order for <command>lxc-start</command> to be allowed to transition to that profile. The <filename>lxc-default</filename> profile includes the re-usable abstractions file <filename>/etc/apparmor.d/abstractions/lxc/container-base</filename>. An easy way to start a new profile therefore is to do the same, then add extra permissions at the bottom of your policy.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/virtualization.xml:2385(para)
|
|
845.
|
|
|
After creating the policy, load it using:
|
|
|
|
После создания политики загрузите её, используя команду:
|
|
Translated and reviewed by
Aleksey Kabanov
|
|
|
|
Located in
serverguide/C/virtualization.xml:2396(para)
|
|
846.
|
|
|
sudo apparmor_parser -r /etc/apparmor.d/lxc-containers
|
|
|
represents a line break.
Start a new line in the equivalent position in the translation.
|
|
|
|
sudo apparmor_parser -r /etc/apparmor.d/lxc-containers
|
|
Translated by
Anton Patsev
|
|
Reviewed by
Anton Patsev
|
|
|
|
Located in
serverguide/C/virtualization.xml:2398(screen)
|
|
847.
|
|
|
The profile will automatically be loaded after a reboot, because it is sourced by the file <filename>/etc/apparmor.d/lxc-containers</filename>. Finally, to make container <filename>CN</filename> use this new <filename>lxc-CN-profile</filename>, add the following line to its configuration file:
|
|
|
|
Профиль автоматически загрузится после перезагрузки системы, поскольку его содержимое учтено в <filename>/etc/apparmor.d/lxc-containers</filename>. Наконец, чтобы заставить контейнер <filename>CN</filename> использовать новый профиль <filename>lxc-CN-profile</filename>, добавьте следующие строки в его файл настройки:
|
|
Translated by
Anton Patsev
|
|
Reviewed by
Anton Patsev
|
|
|
|
Located in
serverguide/C/virtualization.xml:2402(para)
|
|
848.
|
|
|
lxc.aa_profile = lxc-CN-profile
|
|
|
represents a line break.
Start a new line in the equivalent position in the translation.
|
|
|
|
lxc.aa_profile = lxc-CN-profile
|
|
Translated by
Anton Patsev
|
|
Reviewed by
Anton Patsev
|
|
|
|
Located in
serverguide/C/virtualization.xml:2409(screen)
|
|
849.
|
|
|
Control Groups
|
|
|
|
Группы управления
|
|
Translated by
Anton Patsev
|
|
Reviewed by
Anton Patsev
|
|
|
|
Located in
serverguide/C/virtualization.xml:2417(title) serverguide/C/cgroups.xml:11(title)
|
|
850.
|
|
|
Control groups (cgroups) are a kernel feature providing hierarchical task grouping and per-cgroup resource accounting and limits. They are used in containers to limit block and character device access and to freeze (suspend) containers. They can be further used to limit memory use and block i/o, guarantee minimum cpu shares, and to lock containers to specific cpus.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/virtualization.xml:2419(para)
|