[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] apparmor in lxc containers [#17754]



You can use a docker container with a custom apparmor profile.


On Dec 15, 2015, 02:40 -0800, intrigeri <intrigeri@xxxxxxxx>, wrote:
Hi,

Peter Palfrader wrote (15 Dec 2015 08:24:25 GMT) :
https://bugs.torproject.org/17754 reports that tor no longer works in
LXC containers.

I have set up an ubuntu wily VM, and a wily LXC container in it, and I
can confirm that with the AppArmorProfile= line in the service file, tor
will not launch.

Given the logs I see on the ticket, it looks like systemd was not
allowed by the container to apply our AppArmor policy.
Linux namespaces support more and more stuff these days, but they
didn't go as far as supporting stacking AppArmor policies yet:

https://bugs.launchpad.net/apparmor/+bug/1379535

... not even mentioning limitations that AppArmor has with stacked
filesystems such as aufs and overlayfs, which are commonly used
for containers.

Do you have any ideas how to properly fix this? Or what the best
workaround would be to document?

Sadly, I don't know what we can do better at the moment than disabling
AppArmor when running in such environments, like:
https://trac.torproject.org/projects/tor/ticket/17754#comment:6

Cheers,
--
intrigeri
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev