|
834.
|
|
|
<command>lxc-execute</command> does not enter an Apparmor profile, but the container it spawns will be confined.
|
|
|
|
<command>lxc-execute</command> не просматривает профиль Apparmor, но контейнер, который он порождает, будет ограничен.
|
|
Translated by
Anton Patsev
|
|
Reviewed by
Anton Patsev
|
|
|
|
Located in
serverguide/C/virtualization.xml:2330(para)
|
|
835.
|
|
|
Customizing container policies
|
|
|
|
Настройка политик контейнера
|
|
Translated by
q_i
|
|
Reviewed by
Anton Patsev
|
|
|
|
Located in
serverguide/C/virtualization.xml:2333(title)
|
|
836.
|
|
|
If you find that <command>lxc-start</command> is failing due to a legitimate access which is being denied by its Apparmor policy, you can disable the lxc-start profile by doing:
|
|
|
|
Если вы обнаружили, что <command>lxc-start</command> падает из-за попытки легитимного доступа, перекрытого политикой Apparmor, вы можете отключить профиль lxc-start следующим образом:
|
|
Translated by
Aleksey Kabanov
|
|
|
|
Located in
serverguide/C/virtualization.xml:2334(para)
|
|
837.
|
|
|
![](/@@/translation-newline)
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start ![](/@@/translation-newline)
sudo ln -s /etc/apparmor.d/usr.bin.lxc-start /etc/apparmor.d/disabled/
|
|
|
represents a line break.
Start a new line in the equivalent position in the translation.
|
|
|
|
![](/@@/translation-newline)
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start ![](/@@/translation-newline)
sudo ln -s /etc/apparmor.d/usr.bin.lxc-start /etc/apparmor.d/disabled/
|
|
Translated by
Anton Patsev
|
|
Reviewed by
Anton Patsev
|
|
|
|
Located in
serverguide/C/virtualization.xml:2338(screen)
|
|
838.
|
|
|
This will make <command>lxc-start</command> run unconfined, but continue to confine the container itself. If you also wish to disable confinement of the container, then in addition to disabling the <filename>usr.bin.lxc-start</filename> profile, you must add:
|
|
|
|
Это позволит запускать <command>lxc-start</command> без ограничений, но продолжит ограничивать собственно контейнер. Если вы хотите также снять ограничения с контейнера, в дополнение к блокировке использования профиля <filename>usr.bin.lxc-start</filename>, вам потребуется в файл настроек контейнера добавить:
|
|
Translated by
Aleksey Kabanov
|
|
|
|
Located in
serverguide/C/virtualization.xml:2343(para)
|
|
839.
|
|
|
![](/@@/translation-newline)
lxc.aa_profile = unconfined
|
|
|
represents a line break.
Start a new line in the equivalent position in the translation.
|
|
|
|
![](/@@/translation-newline)
lxc.aa_profile = unconfined
|
|
Translated by
Anton Patsev
|
|
Reviewed by
Anton Patsev
|
|
|
|
Located in
serverguide/C/virtualization.xml:2348(screen)
|
|
840.
|
|
|
to the container's configuration file.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/virtualization.xml:2352(para)
|
|
841.
|
|
|
LXC ships with a few alternate policies for containers. If you wish to run containers inside containers (nesting), then you can use the lxc-container-default-with-nesting profile by adding the following line to the container configuration file <screen> ![](/@@/translation-newline)
lxc.aa_profile = lxc-container-default-with-nesting
[tab] </screen> If you wish to use libvirt inside containers, then you will need to edit that policy (which is defined in <filename>/etc/apparmor.d/lxc/lxc-default-with-nesting</filename>) by uncommenting the following line: <screen> ![](/@@/translation-newline)
mount fstype=cgroup -> /sys/fs/cgroup/**,
[tab] </screen> and re-load the policy.
|
|
|
[tab] represents a tab character.
Please write it exactly the same way, [tab] , in your
translation.
|
|
|
represents a line break.
Start a new line in the equivalent position in the translation.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/virtualization.xml:2354(para)
|
|
842.
|
|
|
Note that the nesting policy with privileged containers is far less safe than the default policy, as it allows containers to re-mount <filename>/sys</filename> and <filename>/proc</filename> in nonstandard locations, bypassing apparmor protections. Unprivileged containers do not have this drawback since the container root cannot write to root-owned <filename>proc</filename> and <filename>sys</filename> files.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/virtualization.xml:2371(para)
|
|
843.
|
|
|
Another profile shipped with lxc allows containers to mount block filesystem types like ext4. This can be useful in some cases like maas provisioning, but is deemed generally unsafe since the superblock handlers in the kernel have not been audited for safe handling of untrusted input.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
serverguide/C/virtualization.xml:2379(para)
|