|
831.
|
|
|
LXC ships with a default Apparmor profile intended to protect the host from accidental misuses of privilege inside the container. For instance, the container will not be able to write to <filename>/proc/sysrq-trigger</filename> or to most <filename>/sys</filename> files.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/virtualization.xml:2308(para)
|
|
832.
|
|
|
The <filename>usr.bin.lxc-start</filename> profile is entered by running <command>lxc-start</command>. This profile mainly prevents <command>lxc-start</command> from mounting new filesystems outside of the container's root filesystem. Before executing the container's <command>init</command>, <command>LXC</command> requests a switch to the container's profile. By default, this profile is the <filename>lxc-container-default</filename> policy which is defined in <filename>/etc/apparmor.d/lxc/lxc-default</filename>. This profile prevents the container from accessing many dangerous paths, and from mounting most filesystems.
|
|
|
|
Профиль <filename>usr.bin.lxc-start</filename> используется при запуске <command>lxc-start</command>. Этот профиль в основном предотвращает монтирование <command>lxc-start</command> новых файловых систем вне корневой файловой системы контейнера. Перед инициализацией <command>init</command> контейнера, <command>LXC</command> запрашивает переключение на профиль контейнера. По умолчанию используется профиль <filename>lxc-container-default</filename>определенный в <filename>/etc/apparmor.d/lxc/lxc-default</filename>. Этот профиль запрещает контейнеру доступ к многим опасным каталогам и монтирование большинства файловых систем.
|
|
Translated by
Anton Patsev
|
|
Reviewed by
Anton Patsev
|
|
|
|
Located in
serverguide/C/virtualization.xml:2314(para)
|
|
833.
|
|
|
Programs in a container cannot be further confined - for instance, MySQL runs under the container profile (protecting the host) but will not be able to enter the MySQL profile (to protect the container).
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/virtualization.xml:2325(para)
|
|
834.
|
|
|
<command>lxc-execute</command> does not enter an Apparmor profile, but the container it spawns will be confined.
|
|
|
|
<command>lxc-execute</command> не просматривает профиль Apparmor, но контейнер, который он порождает, будет ограничен.
|
|
Translated by
Anton Patsev
|
|
Reviewed by
Anton Patsev
|
|
|
|
Located in
serverguide/C/virtualization.xml:2330(para)
|
|
835.
|
|
|
Customizing container policies
|
|
|
|
Настройка политик контейнера
|
|
Translated by
q_i
|
|
Reviewed by
Anton Patsev
|
|
|
|
Located in
serverguide/C/virtualization.xml:2333(title)
|
|
836.
|
|
|
If you find that <command>lxc-start</command> is failing due to a legitimate access which is being denied by its Apparmor policy, you can disable the lxc-start profile by doing:
|
|
|
|
Если вы обнаружили, что <command>lxc-start</command> падает из-за попытки легитимного доступа, перекрытого политикой Apparmor, вы можете отключить профиль lxc-start следующим образом:
|
|
Translated by
Aleksey Kabanov
|
|
|
|
Located in
serverguide/C/virtualization.xml:2334(para)
|
|
837.
|
|
|
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start
sudo ln -s /etc/apparmor.d/usr.bin.lxc-start /etc/apparmor.d/disabled/
|
|
|
represents a line break.
Start a new line in the equivalent position in the translation.
|
|
|
|
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start
sudo ln -s /etc/apparmor.d/usr.bin.lxc-start /etc/apparmor.d/disabled/
|
|
Translated by
Anton Patsev
|
|
Reviewed by
Anton Patsev
|
|
|
|
Located in
serverguide/C/virtualization.xml:2338(screen)
|
|
838.
|
|
|
This will make <command>lxc-start</command> run unconfined, but continue to confine the container itself. If you also wish to disable confinement of the container, then in addition to disabling the <filename>usr.bin.lxc-start</filename> profile, you must add:
|
|
|
|
Это позволит запускать <command>lxc-start</command> без ограничений, но продолжит ограничивать собственно контейнер. Если вы хотите также снять ограничения с контейнера, в дополнение к блокировке использования профиля <filename>usr.bin.lxc-start</filename>, вам потребуется в файл настроек контейнера добавить:
|
|
Translated by
Aleksey Kabanov
|
|
|
|
Located in
serverguide/C/virtualization.xml:2343(para)
|
|
839.
|
|
|
lxc.aa_profile = unconfined
|
|
|
represents a line break.
Start a new line in the equivalent position in the translation.
|
|
|
|
lxc.aa_profile = unconfined
|
|
Translated by
Anton Patsev
|
|
Reviewed by
Anton Patsev
|
|
|
|
Located in
serverguide/C/virtualization.xml:2348(screen)
|
|
840.
|
|
|
to the container's configuration file.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/virtualization.xml:2352(para)
|