[LXC] [apparmor] orangepir1 permission denied

Discussions autour de la sécurité des systèmes et des outils et moyens de test de sécurité
Répondre
jeanmarc
Messages : 33
Enregistré le : dim. mars 22, 2020 5:28 pm
Localisation : Essonne

[LXC] [apparmor] orangepir1 permission denied

Message par jeanmarc »

Bonjour,

Après mise en place d'une image fabriquée avec le projet suivant ...

https://github.com/Jerome-Maurin/vmdb2-wrapper

... et mise en place de containers LXC, j'ai un soucis de permission denied lors du lancement du container

Code : Tout sélectionner

ansible@srv-orangepir1-150:~$ sudo lxc-start -n srv-ntp-150  -f /etc/lxc/auto/srv-ntp-150 --foreground
lxc-start: srv-ntp-150: conf.c: lxc_pivot_root: 1499 Permission denied - Failed to pivot_root()
lxc-start: srv-ntp-150: conf.c: lxc_setup: 3667 Failed to pivot root into rootfs
lxc-start: srv-ntp-150: start.c: do_start: 1275 Failed to setup container "srv-ntp-150"
lxc-start: srv-ntp-150: sync.c: __sync_wait: 62 An error occurred in another process (expected sequence number 5)
lxc-start: srv-ntp-150: start.c: __lxc_start: 1951 Failed to spawn container "srv-ntp-150"

Les logs de boot du containers sont les suivants :

Code : Tout sélectionner

lxc-start srv-ntp-150 20200510070634.446 INFO     lsm - lsm/lsm.c:lsm_init:50 - LSM security driver AppArmor
lxc-start srv-ntp-150 20200510070634.449 DEBUG    terminal - terminal.c:lxc_terminal_peer_default:714 - Using terminal "/dev/tty" as proxy
lxc-start srv-ntp-150 20200510070634.449 DEBUG    terminal - terminal.c:lxc_terminal_signal_init:192 - Created signal fd 9
lxc-start srv-ntp-150 20200510070634.449 DEBUG    terminal - terminal.c:lxc_terminal_winsz:90 - Set window size to 184 columns and 24 rows
lxc-start srv-ntp-150 20200510070634.451 INFO     start - start.c:lxc_init:904 - Container "srv-ntp-150" is initialized
lxc-start srv-ntp-150 20200510070634.466 INFO     network - network.c:instantiate_veth:147 - Retrieved mtu 1500 from br-admi
lxc-start srv-ntp-150 20200510070634.485 INFO     network - network.c:instantiate_veth:175 - Attached "e-ntp-adm" to bridge "br-admi"
lxc-start srv-ntp-150 20200510070634.485 DEBUG    network - network.c:instantiate_veth:201 - Instantiated veth "e-ntp-adm/vethXVP2I2", index is "263"
lxc-start srv-ntp-150 20200510070634.504 INFO     network - network.c:instantiate_veth:147 - Retrieved mtu 1500 from br-user
lxc-start srv-ntp-150 20200510070634.528 INFO     network - network.c:instantiate_veth:175 - Attached "e-ntp-usr" to bridge "br-user"
lxc-start srv-ntp-150 20200510070634.545 DEBUG    network - network.c:instantiate_veth:201 - Instantiated veth "e-ntp-usr/veth3M5A8N", index is "265"
lxc-start srv-ntp-150 20200510070634.560 INFO     network - network.c:instantiate_veth:147 - Retrieved mtu 1500 from br-ntp
lxc-start srv-ntp-150 20200510070634.583 INFO     network - network.c:instantiate_veth:175 - Attached "e-ntp-ntp" to bridge "br-ntp"
lxc-start srv-ntp-150 20200510070634.599 DEBUG    network - network.c:instantiate_veth:201 - Instantiated veth "e-ntp-ntp/vethCH6GJ4", index is "267"
lxc-start srv-ntp-150 20200510070634.616 INFO     network - network.c:instantiate_veth:147 - Retrieved mtu 1500 from br-serv
lxc-start srv-ntp-150 20200510070634.637 INFO     network - network.c:instantiate_veth:175 - Attached "e-ntp-srv" to bridge "br-serv"
lxc-start srv-ntp-150 20200510070634.654 DEBUG    network - network.c:instantiate_veth:201 - Instantiated veth "e-ntp-srv/vethDL0CUU", index is "269"
lxc-start srv-ntp-150 20200510070634.673 INFO     network - network.c:instantiate_veth:147 - Retrieved mtu 1500 from br-fact
lxc-start srv-ntp-150 20200510070634.705 INFO     network - network.c:instantiate_veth:175 - Attached "e-ntp-fact" to bridge "br-fact"
lxc-start srv-ntp-150 20200510070634.728 DEBUG    network - network.c:instantiate_veth:201 - Instantiated veth "e-ntp-fact/vethXX0G0N", index is "271"
lxc-start srv-ntp-150 20200510070634.729 DEBUG    cgfsng - cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:620 - "cgroup.clone_children" was already set to "1"
lxc-start srv-ntp-150 20200510070634.780 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWNS
lxc-start srv-ntp-150 20200510070634.781 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWPID
lxc-start srv-ntp-150 20200510070634.781 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWUTS
lxc-start srv-ntp-150 20200510070634.781 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWIPC
lxc-start srv-ntp-150 20200510070634.781 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWNET
lxc-start srv-ntp-150 20200510070634.781 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved mnt namespace via fd 14
lxc-start srv-ntp-150 20200510070634.781 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved pid namespace via fd 15
lxc-start srv-ntp-150 20200510070634.781 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved uts namespace via fd 16
lxc-start srv-ntp-150 20200510070634.781 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved ipc namespace via fd 17
lxc-start srv-ntp-150 20200510070634.782 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved net namespace via fd 18
lxc-start srv-ntp-150 20200510070634.783 DEBUG    cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2232 - Set controller "memory.limit_in_bytes" set to "150M"
lxc-start srv-ntp-150 20200510070634.784 DEBUG    cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2232 - Set controller "cpuset.cpus" set to "1"
lxc-start srv-ntp-150 20200510070634.784 DEBUG    cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2232 - Set controller "cpu.shares" set to "200"
lxc-start srv-ntp-150 20200510070634.785 INFO     cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2237 - Limits for the legacy cgroup hierarchies have been setup
lxc-start srv-ntp-150 20200510070634.788 DEBUG    start - start.c:lxc_spawn:1754 - Preserved net namespace via fd 10
lxc-start srv-ntp-150 20200510070634.832 DEBUG    network - network.c:lxc_network_move_created_netdev_priv:2500 - Moved network device "vethXVP2I2"/"et-admi" to network namespace of 1923
lxc-start srv-ntp-150 20200510070634.861 DEBUG    network - network.c:lxc_network_move_created_netdev_priv:2500 - Moved network device "veth3M5A8N"/"et-user" to network namespace of 1923
lxc-start srv-ntp-150 20200510070634.881 DEBUG    network - network.c:lxc_network_move_created_netdev_priv:2500 - Moved network device "vethCH6GJ4"/"et-ntp" to network namespace of 1923
lxc-start srv-ntp-150 20200510070634.904 DEBUG    network - network.c:lxc_network_move_created_netdev_priv:2500 - Moved network device "vethDL0CUU"/"et-serv" to network namespace of 1923
lxc-start srv-ntp-150 20200510070634.981 DEBUG    network - network.c:lxc_network_move_created_netdev_priv:2500 - Moved network device "vethXX0G0N"/"et-fact" to network namespace of 1923
lxc-start srv-ntp-150 20200510070634.999 INFO     start - start.c:do_start:1254 - Unshared CLONE_NEWCGROUP
lxc-start srv-ntp-150 20200510070635.107 DEBUG    storage - storage/storage.c:storage_query:253 - Detected rootfs type "lvm"
lxc-start srv-ntp-150 20200510070635.246 DEBUG    storage_utils - storage/storage_utils.c:find_fstype_cb:412 - Trying to mount "/dev/mapper/vg_srv_ntp_150-lv_rootfs"->"/var/lib/lxc/srv-ntp-150/rootfs" with F
SType "ext3"
lxc-start srv-ntp-150 20200510070635.583 DEBUG    storage_utils - storage/storage_utils.c:find_fstype_cb:420 - Invalid argument - Failed to mount
lxc-start srv-ntp-150 20200510070635.622 DEBUG    storage_utils - storage/storage_utils.c:find_fstype_cb:412 - Trying to mount "/dev/mapper/vg_srv_ntp_150-lv_rootfs"->"/var/lib/lxc/srv-ntp-150/rootfs" with F
SType "ext2"
lxc-start srv-ntp-150 20200510070635.743 DEBUG    storage_utils - storage/storage_utils.c:find_fstype_cb:420 - Invalid argument - Failed to mount
lxc-start srv-ntp-150 20200510070635.745 DEBUG    storage_utils - storage/storage_utils.c:find_fstype_cb:412 - Trying to mount "/dev/mapper/vg_srv_ntp_150-lv_rootfs"->"/var/lib/lxc/srv-ntp-150/rootfs" with F
SType "ext4"
lxc-start srv-ntp-150 20200510070635.119 INFO     storage_utils - storage/storage_utils.c:find_fstype_cb:428 - Mounted "/dev/mapper/vg_srv_ntp_150-lv_rootfs" on "/var/lib/lxc/srv-ntp-150/rootfs", with FSType
 "ext4"
lxc-start srv-ntp-150 20200510070635.119 DEBUG    conf - conf.c:lxc_mount_rootfs:1332 - Mounted rootfs "/dev/mapper/vg_srv_ntp_150-lv_rootfs" onto "/var/lib/lxc/srv-ntp-150/rootfs" with options "defaults,noa
time,nodiratime,discard,commit=600"
lxc-start srv-ntp-150 20200510070635.119 INFO     conf - conf.c:setup_utsname:791 - Set hostname to "srv-ntp-150"
lxc-start srv-ntp-150 20200510070635.168 DEBUG    network - network.c:setup_hw_addr:2767 - Mac address "02:00:00:10:02:9" on "et-admi" has been setup
lxc-start srv-ntp-150 20200510070635.252 DEBUG    network - network.c:lxc_setup_netdev_in_child_namespaces:3032 - Network device "et-admi" has been setup
lxc-start srv-ntp-150 20200510070635.292 DEBUG    network - network.c:setup_hw_addr:2767 - Mac address "02:00:00:10:02:8" on "et-user" has been setup
lxc-start srv-ntp-150 20200510070635.293 DEBUG    network - network.c:lxc_setup_netdev_in_child_namespaces:3032 - Network device "et-user" has been setup
lxc-start srv-ntp-150 20200510070635.355 DEBUG    network - network.c:setup_hw_addr:2767 - Mac address "02:00:00:10:02:7" on "et-ntp" has been setup
lxc-start srv-ntp-150 20200510070635.356 DEBUG    network - network.c:lxc_setup_netdev_in_child_namespaces:3032 - Network device "et-ntp" has been setup
lxc-start srv-ntp-150 20200510070635.425 DEBUG    network - network.c:setup_hw_addr:2767 - Mac address "02:00:00:10:02:6" on "et-serv" has been setup
lxc-start srv-ntp-150 20200510070635.451 DEBUG    network - network.c:lxc_setup_netdev_in_child_namespaces:3032 - Network device "et-serv" has been setup
lxc-start srv-ntp-150 20200510070635.484 DEBUG    network - network.c:setup_hw_addr:2767 - Mac address "02:00:00:10:02:15" on "et-fact" has been setup
lxc-start srv-ntp-150 20200510070635.499 DEBUG    network - network.c:lxc_setup_netdev_in_child_namespaces:3032 - Network device "et-fact" has been setup
lxc-start srv-ntp-150 20200510070635.499 INFO     network - network.c:lxc_setup_network_in_child_namespaces:3053 - network has been setup
lxc-start srv-ntp-150 20200510070635.499 INFO     conf - conf.c:mount_autodev:1118 - Preparing "/dev"
lxc-start srv-ntp-150 20200510070635.513 INFO     conf - conf.c:mount_autodev:1165 - Prepared "/dev"
lxc-start srv-ntp-150 20200510070635.513 INFO     conf - conf.c:lxc_fill_autodev:1209 - Populating "/dev"
lxc-start srv-ntp-150 20200510070635.514 DEBUG    conf - conf.c:lxc_fill_autodev:1224 - Created device node "/var/lib/lxc/srv-ntp-150/rootfs/dev/full"
lxc-start srv-ntp-150 20200510070635.522 DEBUG    conf - conf.c:lxc_fill_autodev:1224 - Created device node "/var/lib/lxc/srv-ntp-150/rootfs/dev/null"
lxc-start srv-ntp-150 20200510070635.522 DEBUG    conf - conf.c:lxc_fill_autodev:1224 - Created device node "/var/lib/lxc/srv-ntp-150/rootfs/dev/random"
lxc-start srv-ntp-150 20200510070635.522 DEBUG    conf - conf.c:lxc_fill_autodev:1224 - Created device node "/var/lib/lxc/srv-ntp-150/rootfs/dev/tty"
lxc-start srv-ntp-150 20200510070635.523 DEBUG    conf - conf.c:lxc_fill_autodev:1224 - Created device node "/var/lib/lxc/srv-ntp-150/rootfs/dev/urandom"
lxc-start srv-ntp-150 20200510070635.523 DEBUG    conf - conf.c:lxc_fill_autodev:1224 - Created device node "/var/lib/lxc/srv-ntp-150/rootfs/dev/zero"
lxc-start srv-ntp-150 20200510070635.523 INFO     conf - conf.c:lxc_fill_autodev:1286 - Populated "/dev"
lxc-start srv-ntp-150 20200510070635.524 DEBUG    conf - conf.c:mount_entry:2102 - Mounted "proc" on "/var/lib/lxc/srv-ntp-150/rootfs//proc" with filesystem type "proc"
lxc-start srv-ntp-150 20200510070635.533 DEBUG    conf - conf.c:mount_entry:2102 - Mounted "devpts" on "/var/lib/lxc/srv-ntp-150/rootfs//dev/pts" with filesystem type "devpts"
lxc-start srv-ntp-150 20200510070635.536 DEBUG    conf - conf.c:mount_entry:2102 - Mounted "sysfs" on "/var/lib/lxc/srv-ntp-150/rootfs//sys" with filesystem type "sysfs"
lxc-start srv-ntp-150 20200510070635.582 DEBUG    conf - conf.c:mount_entry:2102 - Mounted "/dev/mapper/vg_srv_ntp_150-lv_usr" on "/var/lib/lxc/srv-ntp-150/rootfs//usr" with filesystem type "ext4"
lxc-start srv-ntp-150 20200510070635.626 DEBUG    conf - conf.c:mount_entry:2102 - Mounted "/dev/mapper/vg_srv_ntp_150-lv_var" on "/var/lib/lxc/srv-ntp-150/rootfs//var" with filesystem type "ext4"
lxc-start srv-ntp-150 20200510070635.671 DEBUG    conf - conf.c:mount_entry:2102 - Mounted "/dev/mapper/vg_srv_ntp_150-lv_tmp" on "/var/lib/lxc/srv-ntp-150/rootfs//tmp" with filesystem type "ext4"
lxc-start srv-ntp-150 20200510070635.723 DEBUG    conf - conf.c:mount_entry:2102 - Mounted "/dev/mapper/vg_srv_ntp_150-lv_home" on "/var/lib/lxc/srv-ntp-150/rootfs//home" with filesystem type "ext4"
lxc-start srv-ntp-150 20200510070635.770 DEBUG    conf - conf.c:mount_entry:2102 - Mounted "/dev/mapper/vg_srv_ntp_150-lv_var_log" on "/var/lib/lxc/srv-ntp-150/rootfs//var/log" with filesystem type "ext4"
lxc-start srv-ntp-150 20200510070635.823 DEBUG    conf - conf.c:mount_entry:2102 - Mounted "/dev/mapper/vg_srv_ntp_150-lv_var_lib" on "/var/lib/lxc/srv-ntp-150/rootfs//var/lib" with filesystem type "ext4"
lxc-start srv-ntp-150 20200510070635.875 DEBUG    conf - conf.c:mount_entry:2102 - Mounted "/dev/mapper/vg_srv_ntp_150-lv_var_cache" on "/var/lib/lxc/srv-ntp-150/rootfs//var/cache" with filesystem type "ext4
"
lxc-start srv-ntp-150 20200510070635.907 DEBUG    conf - conf.c:mount_entry:2102 - Mounted "/dev/mapper/vg_srv_ntp_150-lv_var_lib_apt" on "/var/lib/lxc/srv-ntp-150/rootfs//var/lib/apt" with filesystem type "
ext4"
lxc-start srv-ntp-150 20200510070635.907 INFO     conf - conf.c:mount_file_entries:2333 - Finished setting up mounts
lxc-start srv-ntp-150 20200510070635.908 DEBUG    conf - conf.c:lxc_setup_dev_console:1771 - Mounted pts device "/dev/pts/0" onto "/var/lib/lxc/srv-ntp-150/rootfs/dev/console"
lxc-start srv-ntp-150 20200510070635.916 INFO     utils - utils.c:lxc_mount_proc_if_needed:1231 - I am 1, /proc/self points to "1"
lxc-start srv-ntp-150 20200510070635.938 ERROR    conf - conf.c:lxc_pivot_root:1499 - Permission denied - Failed to pivot_root()
lxc-start srv-ntp-150 20200510070635.939 ERROR    conf - conf.c:lxc_setup:3667 - Failed to pivot root into rootfs
lxc-start srv-ntp-150 20200510070635.939 ERROR    start - start.c:do_start:1275 - Failed to setup container "srv-ntp-150"
lxc-start srv-ntp-150 20200510070635.941 ERROR    sync - sync.c:__sync_wait:62 - An error occurred in another process (expected sequence number 5)
lxc-start srv-ntp-150 20200510070635.948 WARN     network - network.c:lxc_delete_network_priv:2589 - Operation not permitted - Failed to remove interface "et-admi" with index 263
lxc-start srv-ntp-150 20200510070635.948 WARN     network - network.c:lxc_delete_network_priv:2589 - Operation not permitted - Failed to remove interface "et-user" with index 265
lxc-start srv-ntp-150 20200510070635.949 WARN     network - network.c:lxc_delete_network_priv:2589 - Operation not permitted - Failed to remove interface "et-ntp" with index 267
lxc-start srv-ntp-150 20200510070635.949 WARN     network - network.c:lxc_delete_network_priv:2589 - Operation not permitted - Failed to remove interface "et-serv" with index 269
lxc-start srv-ntp-150 20200510070635.949 WARN     network - network.c:lxc_delete_network_priv:2589 - Operation not permitted - Failed to remove interface "et-fact" with index 271
lxc-start srv-ntp-150 20200510070635.949 DEBUG    network - network.c:lxc_delete_network:3180 - Deleted network devices
lxc-start srv-ntp-150 20200510070635.950 ERROR    start - start.c:__lxc_start:1951 - Failed to spawn container "srv-ntp-150"



En fait, depuis la version Debian Buster, apparmor est activé de base dans cette distribution

Dans le cas de la orangepir1, les paramètres de boot du noyau sont les suivants

Code : Tout sélectionner

ansible@srv-orangepir1-150:~$ cat /proc/cmdline 
console=ttyS0,115200 root=UUID=445c9e51-bc26-47ba-9dc0-81f8c85ea11e net.ifnames=0
ansible@srv-orangepir1-150:~$ 
Le fichier de configuration du container est le suivant:

Code : Tout sélectionner

# File ................. : /etc/lxc/auto/srv-ntp-150

# Please  don't  change this local  file,  instead of that, update git
# ansible repository

# This code  is valid for either  LXC 2.x (for Debian  9.x) or LXC 3.x
# (for Debian 10.x)

# Please  look at following  page  fore  recent information on  Debian
# Stretch and Buster release

# https://linuxcontainers.org/fr/lxc/news/
# https://discuss.linuxcontainers.org/t/lxc-2-1-has-been-released/487


# section 1: global parameters:
###############################

# Specify the hardware architecture for the container

lxc.arch                                = armv7l

# Container name, please use same name as DNS name 

lxc.uts.name                            = srv-ntp-150

# This container start on boot according order definition

lxc.start.auto                          = 1


# define start order (lower number for first start)

lxc.start.order                         = 10

# Define delay time (in second) before launching one another container

lxc.start.delay                         = 0

# Define the name to cgroup this container which each others or not

lxc.group                               = grp_lxc_start_on_boot

# lxc.init.cmd: Absolute  path from container rootfs  to the binary to
# use as   init. This  mostly  makes sense  for lxc-start.  Default is
# /sbin/init (old value is lxc.init_cmd)

# not available on Debian Stretch 9.5 with LXC 1:2.0.7-2+deb9u2, please
# use lxc.init_cmd

lxc.init.cmd                            = /sbin/init

# lxc.idmap : A  container can be started in  a private user namespace
# with user and group id mappings. For instance,  you can map userid 0
# in the container to userid 200000 on the host.  The root user in the
# container will be privileged  in the container, but unprivileged  on
# the host. Normally a  system container will want a  range of ids, so
# you would map, for instance, user and  group ids 0 through 20,000 in
# the container  to the ids 200,000  through 220,000. Four values must
# be   provided. First  a character,  either  'u',  or 'g', to specify
# whether user or group ids are being mapped. Next is the first userid
# as seen  in the user namespace of  the container. Next is the userid
# as seen on   the host. Finally, a   range indicating  the  number of
# consecutive ids to map.

#(not available on Debian Stretch 9.5 with LXC 1:2.0.7-2+deb9u2)

#lxc.idmap                               = u 0 200000 65536
#lxc.idmap                               = g 0 200000 65536

lxc.init.uid                            = 0

lxc.init.gid                            = 0

# lxc.ephemeral: Allows one  to specify  whether  a container  will be
# destroyed on shutdown. The only allowed values are 0 and 1. Set this
# to 1 to destroy a container on shutdown.

lxc.ephemeral                            = 0

# lxc.init.cwd:  Absolute path  inside the  container   to use as  the
# working directory.

# (not available on Debian Stretch 9.5 with LXC 1:2.0.7-2+deb9u2)
#lxc.init.cwd                            = /var/lib/lxc/srv-ntp-150/rootfs/init_cwd

# section 2: log & syslog & ring buffer & tty:
##############################################

# lxc.console.buffer.size:  size of ring buffer (should  be a power of
# 2) in byte for the console output
 
lxc.console.buffer.size                 = 102400

# lxc.console.size: limit of the ring buffer (should be  a power of 2)
# in byte for the console output as defiend by lxc.console.buffer.size

lxc.console.size                        = 102400

# lxc.log.level:  The  level at  which to  log.  The log  level is  an
# integer in  the range of 0..8 inclusive,  where a lower number means
# more verbose  debugging.  In particular 0 =  trace,  1 = debug, 2  =
# info, 3 = notice, 4 = warn, 5 = error, 6 =  critical, 7 = alert, and
# 8 = fatal. If unspecified, the level  defaults to 5 (error), so that
# only errors and above are logged.

# following parameters are ok with lxc 1:2.0.0-3~bpo8+1 d <#
# (jessie-backports) (debian bugreport #827156)

lxc.log.level                           = DEBUG

# lxc.log.file: The file to which logging info should be written.

lxc.log.file                            = /var/log/lxc/srv-ntp-150.log

# lxc.log.syslog: Send  logging info  to  syslog. It respects the  log
# level  defined in lxc.log.level.  The  argument should be the syslog
# facility to  use,  valid ones are:  daemon,  local0, local1, local2,
# local3, local4, local5, local5, local6, local7.

# lxc.log.syslog not used here because file is  prefered as defined by
# lxc.log.file variable

# lxc.tty.max: CONSOLE THROUGH THE TTYS: This  option is useful if the
# container is configured with a  root filesystem and the inittab file
# is setup  to launch a getty  on the ttys.  The option  specifies the
# number  of ttys to be  available  for the  container. The number  of
# gettys in  the inittab file  of the container  should not be greater
# than the number  of  ttys specified  in  this option,  otherwise the
# excess    getty sessions will   die  and respawn indefinitely giving
# annoying messages on the console or in /var/log/messages.

# not available  on Debian Stretch  9.5 with  LXC 1:2.0.7-2+deb9u2, use
# lxc.tty

lxc.tty.max                             = 4

# lxc.pty.max : If   set, the container will have   a  new pseudo  tty
# instance, making this private to it. The value specifies the maximum
# number of pseudo ttys allowed for a pts instance (this limitation is
# not implemented yet).

# On debian 9.7, old value = lxc.pts
lxc.pty.max                             = 10

# section 3: Posix signals parameters:
######################################

# lxc.signal.halt: Allows one to specify signal name or number sent to
# the  container's init process  to   cleanly shutdown the  container.
# Different init systems could use  different signals to perform clean
# shutdown sequence. This option allows the  signal to be specified in
# kill(1) fashion, e.g.  SIGPWR,   SIGRTMIN+14, SIGRTMAX-10 or   plain
# number. The default signal is SIGPWR.

# not  available on Debian  Stretch  9.5 with LXC 1:2.0.7-2+deb9u2, use
# lxc.haltsignal

lxc.signal.halt                         = SIGPWR

# lxc.signal.reboot: Allows one  to  specify signal name or  number to
# reboot  the container. This option allows  signal to be specified in
# kill(1) fashion, e.g.  SIGTERM,  SIGRTMIN+14, SIGRTMAX-10   or plain
# number. The default signal is SIGINT

lxc.signal.reboot                        = SIGINT

# lxc.signal.stop: Allows   one to specify signal   name or  number to
# forcibly shutdown the container.  This  option allows signal to   be
# specified in kill(1) fashion, e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10
# or plain number. The default signal is SIGKILL

lxc.signal.stop                          = SIGKILL

# section 4: Cgroup, CPU & Memory:
##################################

# Warning, order declaration is important : 
# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/sec-memory.html
# lxc.cgroup.memory.limit_in_bytes: maximum number of memory used by the container

lxc.cgroup.memory.limit_in_bytes         = 150M 

# lxc.cgroup.memory.memsw.limit_in_bytes: maximum  number of (memory +
# swap) used  by the container  Warning, in order  to use this option,
# kernel command line must be modified according :

## WARN     cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2228 - Failed to set "memory.memsw.limit_in_bytes" to "200M"
## lxc.cgroup.memory.memsw.limit_in_bytes  = 400M

# lxc.kmsg: disable  message from kernel into  the container.  
  
# Please note this option  is no longer valid  on modern LXC (V3.x), as
# defined   in    https://linuxcontainers.org/fr/lxc/news/  (Table  of
# changed configuration keys)

# lxc.cgroup.cpuset.cpus: define how    many CPUs  are used on    this
# container

lxc.cgroup.cpuset.cpus                  = 1

# lxc.cgroup.cpuset.share: define  how is  shared  CPU  container with
# each other on the same CPU list

lxc.cgroup.cpu.shares                   = 200

# total number of  tty , remember, must  be >= to total number defined
# in /etc/inittab

# section 5: char and block devices:
####################################
lxc.cgroup.devices.deny                 = a

# lxc.autodev: if 1, then LXC will mount a fresh tmpfs under /dev

lxc.autodev                             = 1

# lxc.cgroup.devices.allow : device /dev/null on target srv-orangepir1-150
lxc.cgroup.devices.allow                = c 1:3 rwm

# lxc.cgroup.devices.allow : device /dev/zero on target srv-orangepir1-150
lxc.cgroup.devices.allow                = c 1:5 rwm

# lxc.cgroup.devices.allow : device /dev/random on target srv-orangepir1-150
lxc.cgroup.devices.allow                = c 1:8 rwm

# lxc.cgroup.devices.allow : device /dev/urandom on target srv-orangepir1-150
lxc.cgroup.devices.allow                = c 1:9 rwm

# lxc.cgroup.devices.allow : device /dev/console on target srv-orangepir1-150
lxc.cgroup.devices.allow                = c 5:1 rwm

# lxc.cgroup.devices.allow : device /dev/ptmx on target srv-orangepir1-150
lxc.cgroup.devices.allow                = c 5:2 rwm

# lxc.cgroup.devices.allow : device /dev/pts/[0-9] on target srv-orangepir1-150
lxc.cgroup.devices.allow                = c 136:0 rwm
lxc.cgroup.devices.allow                = c 136:1 rwm
lxc.cgroup.devices.allow                = c 136:2 rwm
lxc.cgroup.devices.allow                = c 136:3 rwm
lxc.cgroup.devices.allow                = c 136:4 rwm
lxc.cgroup.devices.allow                = c 136:5 rwm
lxc.cgroup.devices.allow                = c 136:6 rwm
lxc.cgroup.devices.allow                = c 136:7 rwm
lxc.cgroup.devices.allow                = c 136:8 rwm
lxc.cgroup.devices.allow                = c 136:9 rwm

# lxc.cgroup.devices.allow : device /dev/tty on target srv-orangepir1-150
lxc.cgroup.devices.allow                = c 5:0 rwm

# lxc.cgroup.devices.allow : device /dev/ttyS[0-1] on target srv-orangepir1-150
lxc.cgroup.devices.allow                = c 4:64 rwm
lxc.cgroup.devices.allow                = c 4:65 rwm

# lxc.cgroup.devices.allow : device /dev/tty[0-6] on target srv-orangepir1-150
lxc.cgroup.devices.allow                = c 4:0 rwm
lxc.cgroup.devices.allow                = c 4:1 rwm
lxc.cgroup.devices.allow                = c 4:2 rwm
lxc.cgroup.devices.allow                = c 4:3 rwm
lxc.cgroup.devices.allow                = c 4:4 rwm
lxc.cgroup.devices.allow                = c 4:5 rwm
lxc.cgroup.devices.allow                = c 4:6 rwm

# section 6: mount point and File Systems (Warning, order is mandatory !)
#########################################################################
# lxc.rootfs: step 1: define mount point before making pivot_root(8) syscall
lxc.rootfs.mount                        = /var/lib/lxc/srv-ntp-150/rootfs
lxc.rootfs.path                         = /dev/mapper/vg_srv_ntp_150-lv_rootfs
lxc.rootfs.options                      = defaults,noatime,nodiratime,discard,commit=600
# lxc.rootfs.managed in LXC   1:3.1.0+really3.0.3-8 on Debian   Buster
# 10.2 not supported but defined in man (!)
# lxc-start:   srv-ntp-170: parse.c: lxc_file_for_each_line_mmap:  142
# Failed   to parse  config file "/var/lib/lxc/srv-ntp-170/config"  at
# line "lxc.rootfs.managed = 0"
# lxc.rootfs.managed                      = 0

# lxc.mount.entry: step 3: this mount point is used for /proc
lxc.mount.entry                         = proc   /var/lib/lxc/srv-ntp-150/rootfs/proc    proc   nodev,noexec,nosuid  0  0
# lxc.mount.entry: step 4: this mount point is used for  pseudo devices /devpts
lxc.mount.entry                         = devpts /var/lib/lxc/srv-ntp-150/rootfs/dev/pts devpts defaults  0  0
# lxc.mount.entry:step 5:  this mount point is used for  pseudo devices /sys
lxc.mount.entry                         = sysfs  /var/lib/lxc/srv-ntp-150/rootfs/sys     sysfs  defaults  0  0
# lxc.mount.entry: step 6: this mount point is used for rootfs mount point on target srv-ntp-150
# lxc.mount.entry: step 6: this mount point is used for /usr mount point on target srv-ntp-150
lxc.mount.entry                         = /dev/mapper/vg_srv_ntp_150-lv_usr  /var/lib/lxc/srv-ntp-150/rootfs/usr ext4  defaults,noatime,nodiratime,discard,commit=600
# lxc.mount.entry: step 6: this mount point is used for /var mount point on target srv-ntp-150
lxc.mount.entry                         = /dev/mapper/vg_srv_ntp_150-lv_var  /var/lib/lxc/srv-ntp-150/rootfs/var ext4  defaults,noatime,nodiratime,discard,commit=600
# lxc.mount.entry: step 6: this mount point is used for /tmp mount point on target srv-ntp-150
lxc.mount.entry                         = /dev/mapper/vg_srv_ntp_150-lv_tmp  /var/lib/lxc/srv-ntp-150/rootfs/tmp ext4  defaults,noatime,nodiratime,discard,commit=600
# lxc.mount.entry: step 6: this mount point is used for /home mount point on target srv-ntp-150
lxc.mount.entry                         = /dev/mapper/vg_srv_ntp_150-lv_home  /var/lib/lxc/srv-ntp-150/rootfs/home ext4  defaults,noatime,nodiratime,discard,commit=600
# lxc.mount.entry: step 6: this mount point is used for /var/log mount point on target srv-ntp-150
lxc.mount.entry                         = /dev/mapper/vg_srv_ntp_150-lv_var_log  /var/lib/lxc/srv-ntp-150/rootfs/var/log ext4  defaults,noatime,nodiratime,discard,commit=600
# lxc.mount.entry: step 6: this mount point is used for /var/lib mount point on target srv-ntp-150
lxc.mount.entry                         = /dev/mapper/vg_srv_ntp_150-lv_var_lib  /var/lib/lxc/srv-ntp-150/rootfs/var/lib ext4  defaults,noatime,nodiratime,discard,commit=600
# lxc.mount.entry: step 6: this mount point is used for /var/cache mount point on target srv-ntp-150
llxc.mount.entry                         = /dev/mapper/vg_srv_ntp_150-lv_var_cache  /var/lib/lxc/srv-ntp-150/rootfs/var/cache ext4  defaults,noatime,nodiratime,discard,commit=600
# lxc.mount.entry: step 6: this mount point is used for /var/lib/apt mount point on target srv-ntp-150
lxc.mount.entry                         = /dev/mapper/vg_srv_ntp_150-lv_var_lib_apt  /var/lib/lxc/srv-ntp-150/rootfs/var/lib/apt ext4  defaults,noatime,nodiratime,discard,commit=600


# section 7: Posix Capabilities
###############################


# section 8: network interfaces:
################################

# Interface 1/5 : network interface used on network net-admi for target srv-ntp-150
lxc.net.0.type                = veth
lxc.net.0.flags               = up
lxc.net.0.link                = br-admi
lxc.net.0.name                = et-admi
lxc.net.0.hwaddr              = 02:00:00:10:02:9
lxc.net.0.veth.pair           = e-ntp-adm

# Interface 2/5 : network interface used on network net-user for target srv-ntp-150
lxc.net.1.type                = veth
lxc.net.1.flags               = up
lxc.net.1.link                = br-user
lxc.net.1.name                = et-user
lxc.net.1.hwaddr              = 02:00:00:10:02:8
lxc.net.1.veth.pair           = e-ntp-usr

# Interface 3/5 : network interface used on network net-ntp for target srv-ntp-150
lxc.net.2.type                = veth
lxc.net.2.flags               = up
lxc.net.2.link                = br-ntp
lxc.net.2.name                = et-ntp
lxc.net.2.hwaddr              = 02:00:00:10:02:7
lxc.net.2.veth.pair           = e-ntp-ntp

# Interface 4/5 : network interface used on network net-srv for target srv-ntp-150
lxc.net.3.type                = veth
lxc.net.3.flags               = up
lxc.net.3.link                = br-serv
lxc.net.3.name                = et-serv
lxc.net.3.hwaddr              = 02:00:00:10:02:6
lxc.net.3.veth.pair           = e-ntp-srv

# Interface 5/5 : network interface used on network net-fact for target srv-ntp-150
lxc.net.4.type                = veth
lxc.net.4.flags               = up
lxc.net.4.link                = br-fact
lxc.net.4.name                = et-fact
lxc.net.4.hwaddr              = 02:00:00:10:02:15
lxc.net.4.veth.pair           = e-ntp-fact

# section 9: Apparmor support:
##############################
# please look at : https://github.com/lxc/lxc/issues/1895

# APPARMOR PROFILE.   If lxc was compiled  and installed with apparmor
# support, and the host system has apparmor enabled, then the apparmor
# profile under which the container should be run  can be specified in
# the        container   configuration.        The        default   is
# lxc-container-default-cgns if the host   kernel is cgroup  namespace
# aware, or  lxc-container-default otherwise.   Apparmor profiles  are
# pathname   based.  Therefore many   file restrictions  require mount
# restrictions  to   be effective   against  a  determined   attacker.
# However, these  mount  restrictions are not  yet  implemented in the
# upstream  kernel.   Without   the mount  restrictions,  the apparmor
# profiles still protect against accidental damager.

# On  Debian   kernel    4.13.0-0.bpo.1-amd64,   set  apparmor  flags,
# otherwise, can not start container with following error:


# lxc.apparmor.allow_incomplete: If this flag is 0 (default), then the
# container will not be started if the kernel lacks the apparmor mount
# features,  so   that a regression  after  a  kernel  upgrade will be
# detected.  To start the container under partial apparmor protection,
# set this flag to 1.

# not available  on Debian Stretch  9.5 with  LXC 1:2.0.7-2+deb9u2, use
# lxc.aa_allow_incomplete

lxc.apparmor.allow_incomplete      = 1

# On Debian kernel  armhf srv-hc1-110 4.18.0-0.bpo.3-armmp-lpae #1 SMP
# Debian 4.18.20-2~bpo9+1 not possible to start container if following
# line is not set https://github.com/lxc/lxc/issues/1895

# lxc.apparmor_profile: Specify the apparmor  profile under which  the
# container  should be  run. To specify   that the container should be
# unconfined, use  "unconfined  keyword".   If  the apparmor   profile
# should remain unchanged (i.e.  if you are nesting containers and are
# already confined), then use "unchanged" keyword

lxc.apparmor.profile               = unconfined

# section 10: Seccomp support:
##############################

Indeniablement, l'option de non confinement positionnée en fin de fichier n'est pas suffisante afin de démarer le container.
Au delà de forcer le noyau au boot via l'option suivante apparmor=0 au niveau de la comande line, il devrait être possible de régler probablement plus proprement ce comportement.
L'objectif étant bien entendu de laisser la partie sécurité de Apparmor dans le noyau et renforcer et mettre en oeuvre apparmor sur le container.
:?:
Cordialement

Répondre